The Wall Street Journal reports this morning that

The ransomware group that collected an $11 million payment from meat producerJBS SA about a month ago has begun a widespread attack that could affect hundreds of organizations world-wide, according to cybersecurity experts.

The group, known as REvil, has focused its attack on Kaseya VSA, software used by large companies and technology-service providers to manage and distribute software updates to systems on computer networks, according to security researchers and VSA’s maker, Kaseya Ltd.

The use of trusted partners like software makers or service providers to identify and compromise new victims, often called a supply-chain attack, is unusual in cases of ransomware, in which hackers shut down the systems of institutions and demand payment to allow them to regain control. The Kaseya incident appears to be the “largest and most significant” such attack to date, said Brett Callow, a threat analyst for cybersecurity company Emsisoft.

SecurityWeek and Bleeping Computer have all of the details on this troubling cyberattack.

In other cyberattack news, Forbes reports on Microsoft’s PrintNightmare, “the name that has been attached to a zero-day vulnerability impacting the Windows print spooler. A vulnerability that can ultimately, it would appear, lead to an attacker taking remote control of an affected system.” Bleeping Computer informs us about available mitigations here and there.

Cyberscoop adds that

Going on offense against attackers and penetrating the secrecy surrounding attacks are two ways the Biden administration is pondering to tackle ransomware, a top White House official [Anne Neuberger] said on Tuesday June 29.]

Neuberger made her remarks as the Biden administration has undertaken a number of initiatives to crack down on ransomware, following the high-profile attacks on Colonial Pipeline and meat supplier JBS. Among them is conducting a ransomware review that includes a focus on disrupting attackers, building an international coalition, studying the U.S. government’s policies and expanding analysis of cryptocurrency given attackers’ use of it to receive payments. 

The administration is wary of banning ransomware payments entirely, something Neuberger called a “difficult policy position” that could harm companies who feel they have to pay up to decrypt their networks, even if the U.S. government discourages such payments.

In the tools department

• This week, “The US Cybersecurity and Infrastructure Security Agency (CISA) has released the Ransomware Readiness Assessment (RRA), a new module for its Cyber Security Evaluation Tool (CSET).”
• CISA also “is developing a catalog of Bad Practices that are exceptionally risky, especially in organizations supporting Critical Infrastructure or NCFs. The presence of these Bad Practices in organizations that support Critical Infrastructure or NCFs is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability, and life, health, and safety of the public. Entries in the catalog will be listed here as they are added. * * * While these practices are dangerous for Critical Infrastructure and NCFs, CISA encourages all organizations to engage in the necessary actions and critical conversations to address Bad Practices.” CISA cautions that the catalog does not necessarily includes all Bad Practices. Nevertheless, it’s worth a periodic gander.

The Wall Street Journal reports that the SolarWinds hackers are back at it.

Microsoft Corp. said [in a blog post] hackers, linked by U.S. authorities to Russia’s Foreign Intelligence Service, installed malicious information-stealing software on one of its systems and used information gleaned there to attack its customers. * * *

Most of the attacks were unsuccessful, but three of Microsoft’s customers were compromised during the campaign, the company said. “We have confirmed that two of the compromises were unrelated to the support agent issue, and are continuing to investigate the third instance,” a Microsoft spokesman said.

Microsoft identified the hackers behind the break-in as Nobelium, the same group associated with the sophisticated hack at Austin, Texas-based software maker SolarWinds Corp. U.S. authorities have said this group is part of Russia’s Foreign Intelligence Service, known as the SVR. Russia has denied involvement in the SolarWinds hack. A Russian embassy representative didn’t immediately return a message seeking comment on Microsoft’s blog post.

“This should concern all of us,” said Sherri Davidoff, chief executive of the security consulting firm LMG Security LLC. “Hackers made it past the defenses of one of the world’s most sophisticated technology suppliers, whose software underlies our entire economy.”

ZDNet explains in an illuminating article about where we stand in ransomware struggle

Regularly updating backups – and storing them offline – also provides another means of lessening the severity of ransomware attacks, because even in the event of the network being encrypted, it’s possible to restore it without paying cyber criminals, which cuts off their main means of income. 

Nonetheless, the rise of double extortion attacks has added an extra layer of complexity to this issue because if the organisation doesn’t pay a ransom, they’re faced with the prospect of potentially sensitive information about employees and customers being leaked. 

“Do you have a plan if if your information starts leaking out?,” says Hultquist. “Those pieces need to be in place now, not when it hits the fan”

While Phoenix NAP Global IT Services describes the 18 best practices to deter ransomware, The Wall Street Journal adds that “companies [now] stress-test systems by emulating successful cyberattacks.” Zurich Insurance via the Financial Times explains “Given that cyber exposures are now seen as inevitable, it only makes sense for businesses to invest in resilience. The fundamentals of resilience are protecting profitability through business continuity and incident response planning. The best way to assess that resilience is to see how quickly and effectively your business can react to any given scenario. That’s what cyber risks stress tests are all about.” The article goes on to break down one of these tests for the reader.

As alway’s here’s a link to the Bleeping Computer’s The Week in Ransomware.

Happy Juneteenth. Cyberscoop reports that

The Senate on Thursday confirmed Chris Inglis as the new White House cyber czar, a role it enacted into law late last year.

The new role will play a key part in coordinating the government response to major hacks and other cybersecurity threats. Inglis takes on the position as the U.S. has dealt with an onslaught of cybersecurity incidents, including ransomware attacks on Colonial Pipeline and meat supplier JBS. The national cyber director will also lead the implementation of cyber policy and strategy, including efforts mandated by the Biden administration to improve federal cybersecurity.

The Wall Street Journal informs us

The private sector in the U.S. must do more to defend against cyberattacks, lawmakers from both major parties stressed Thursday as several senators introduced legislation designed to target hackers. The ransomware incident that brought operations at Colonial Pipeline Co. to a standstill for six days starting May 7, and resulted in fuel shortages across Southeastern states, shows that cybersecurity efforts must improve, said Sen. Sheldon Whitehouse (D., R.I.). “Partly, it’s the national cybersecurity establishment that needs to step up its game. And partly, it’s the corporate community that has been caught with its figurative trousers down,” Mr. Whitehouse said, speaking at a press conference Thursday with Sens. Lindsey Graham (R., S.C.) and Richard Blumenthal (D., Conn.)

* * *

Christopher Roberti, senior vice president for cyber, intelligence and supply chain security policy at the U.S. Chamber of Commerce, which says it is the world’s largest business association, said companies don’t stand a chance against determined nation-state attacks regardless of cybersecurity investments. Partnerships between the government and the private sector are essential, he said. “Businesses must take necessary steps to ensure their cyber defenses are robust and up to date, and the U.S. government must act decisively against cyber criminals to deter future attacks. Each has a role to play and both need to work closely to do more,” Mr. Roberti said.

Federal News Network offers an interesting interview with Chris Golden, director of Information Security at Horizon Blue Cross Blue Shield of New Jersey and a founding member of the Defense Department’s Cybersecurity Maturity Model Certification accreditation program. Of note

Tom Temin [FNN]: And then there’s also hints that the CMMC program could spread to the civilian agencies, and therefore some unknown number of additional or marginal numbers of companies added into the mix. So then you’ve got more scaling issues.

Chris Golden: You’ve already seen Department of Homeland Security and the General Services Administration (GSA) put in what I would call contingency CMMC clauses in their contracts, they basically say, “Hey, we may change this contract to include a CMMC requirement. We’ll let you know after you sign” – it kind of thing. So these other government agencies are leaning in that direction, I think it’s probably going to be pretty obvious that most of them will go there. And eventually, it’ll be a whole of government approach. And then I think you’ll start seeing it go to people that don’t do any contracting with the government, right? Once the regulators start looking at and going, hey, in healthcare let’s say – that’s the area I work in – maybe a regulator says, “Well, maybe I’ll take a SOC 2 type 2 audit this year, but next year, maybe the CMMC thing is what I really need? Maybe that’s a better approach to managing risk?” And so once you see that happen, you’ll see sort of grow and balloon, and then we haven’t even talked internationally as our international partners, who do participate in the supply chain and will have to be CMMC-assessed but how do they fit into this sort of big puzzle as it sort of goes global? So yeah, there’s a potential here for a huge ballooning of this thing.

It would not be a true Cybersecurity Saturday post without a link to Bleeping Computers “This Week in Ransomware” post:

Compared to the last few weeks, it has been a relatively quiet week with no ransomware attacks causing widespread disruption.

It was a good week for law enforcement, with Ukrainian police arresting members of the Clop ransomware gang and the South Korean police arresting computer repairment installing ransomware.

We also saw some interesting research released on LockBit and the Hades ransomware, as well as an updated Avaddon Ransomware decryptor that can decrypt more victims’ files.

Finally, President Biden met with Russian President Putin to discuss the recent cyberattacks. Whether something changes from that meeting is too soon to tell.

Also here’s a link to a nifty article with cybersecurity tips. Tech Republic informs us about a “new IBM global report examining consumer behaviors finds an average of 15 new online accounts were created and 82% are reusing the same credentials some of the time.”

Ramsonware remained on the front pages this week. Bleeping Computer’s This Week in Ransomware tells us that

It has been quite the week when it comes to ransomware, with ransoms being paid, ransoms being taken back, and a ransomware gang shutting down.

This week’s biggest news was the FBI announcing that they were able to recover the majority of the $4.4 million ransom payment paid by Colonial Pipeline. It is not entirely clear how they obtained the private key for the cryptocurrency wallet, but it is believed DarkSide stored it on a seized server.

We also learned that JBS paid $11 million to the REvil ransomware operation to retrieve a decryptor and prevent stolen files from being leaked.

In a bit of good news, the Avaddon ransomware operation shut down and released the decryption keys of close to 3,000 victims to BleepingComputer. Using these, cybersecurity firm Emsisoft was able to release a free decryptor.

Finally, news broke this week that memory maker ADATA and food services supplier Edward Don suffered ransomware attacks.

The Wall Street Journal reports in greater detail on the FBI’s recovery of a portion of the Colonial Pipeline Bitcoin ransom and a “ruthless’ cybersecurity gang knowns as RYUK which targets healthcare providers, after banks tighten up their security.

Cyberscoop discusses the Senate confirmation hearings last week for President Biden’s two top level cybersecurity nominations, Jen Easterly to lead the Department of Homeland Security’s cybersecurity agency, and Chris Inglis to be the national cyber director.

The nominees labeled ransomware a “scourge” that threatens national security, vowed to work with critical infrastructure firms to improve their defenses, and wondered aloud if additional federal regulations were necessary to incentivize firms to reduce their vulnerabilities to hacking.

The U.S. government, Inglis said, must “seize back the initiative that has too long been ceded to criminals and rogue nations who determine the time and manner of their transgressions.” He called on the U.S. and its allies to “remove the sanctuary [to ransomware criminals] and bring to bear consequences on those who hold us at risk.”

Easterly spoke with similar urgency: “We’re now at a place where nation-states and non-nation-state actors are leveraging cyberspace largely with impunity to threaten our privacy, our security and our infrastructure.”

Govinfo Security informs us that

As the federal government hammers out national infrastructure legislation, implements President Biden’s recent cybersecurity executive order and adopts other related initiatives, more attention and funding needs to be allocated to strengthen the healthcare sector’s cybersecurity posture and resilience, some industry groups urge.

In a letter Wednesday addressed to Biden, but also copied and sent to Senate and House party leaders, the Healthcare and Public Health Sector Coordinating Council requested heightened collaboration between industry and government to provide a road map for driving improvements to the cybersecurity readiness of the healthcare sector.

HSCC, a private-sector critical infrastructure advisory council to the Department of Health and Human Services created by Presidential Policy Directive 21 in 2013 during the Obama administration, represents more than 300 healthcare sector organizations, including patient care delivery networks, health plans, laboratories and health IT vendors.

Ars Technica reports on the long tail of ransomware attacks.

Researchers have discovered yet another massive trove of sensitive data, a dizzying 1.2TB database containing login credentials, browser cookies, autofill data, and payment information extracted by malware that has yet to be identified.

In all, researchers from NordLocker said on Wednesday, the database contained 26 million login credentials, 1.1 million unique email addresses, more than 2 billion browser cookies, and 6.6 million files. In some cases, victims stored passwords in text files created with the Notepad application.

The article directs concerned readers to the Have I Been Pwned website which aggregates breach information as a service to consumers.

In that regard, ISACA reminds us about the important role that data destruction policies play in maintaining cyber hygiene.

The Wall Street Journal reports on its interview with FBI Director Christopher Wray

FBI Director Christopher Wray said the agency was investigating about 100 different types of ransomware, many tracing back to hackers in Russia, and compared the current spate of cyberattacks with the challenge posed by the Sept. 11, 2001, terrorist attacks.

“There are a lot of parallels, there’s a lot of importance, and a lot of focus by us on disruption and prevention,” Mr. Wray said in an interview Thursday. “There’s a shared responsibility, not just across government agencies but across the private sector and even the average American.”

Mr. Wray’s comments—among his first publicly since two recent ransomware attacks gripped the U.S. meat and oil-and-gas industries—come as senior Biden administration officials have characterized ransomware as an urgent national-security threat and said they are looking at ways to disrupt the criminal ecosystem that supports the booming industry. Each of the 100 different malicious software variants are responsible for multiple ransomware attacks in the U.S., Mr. Wray said.

In that regard, Cyberscoop informs us about the latest moves in a long dance between the feds and private sector over cybersecurity, with a tempo that has hastened considerably since the Colonial Pipeline ransomware attack, and Bleeping Computer offers its latest week in ransomware report.

Earlier this week, Scripps Health, the San Diego health system, accounted for the protected health information losses, totally 147,000 patient records, that it incurred in its early May ransomware attack.

The FEHBlog shares the American Hospital Association’s sentiments

White House issues memo urging vigilance against ransomware threats. The White House today released a memo from Anne Neuberger, Deputy Assistant to President Biden, and Deputy National Security Advisor for Cyber and Emerging Technology, urging business executives to immediately convene their leadership teams to discuss ransomware threats and review corporate security posture and business continuity plans. The memo reiterates high-impact best practices for organizations to adopt: adoption of multi-factor authentication, endpoint detection and response, encryption and deploying skilled, empowered security teams. In addition, the AHA also recommends as high impact having network segmentation in place; tested, offline secure backups; incident response planning; and staff trained to recognize and report phishing emails.
“We are pleased to see the memo from the White House stressing the importance of some fundamental-but-essential cybersecurity measures which most hospitals and health systems already have in place ” said John Riggi, AHA’s senior advisor for cybersecurity and risk. “From AHA’s perspective, equally important to stopping ransomware attacks is the tangible actions the government will take to, as they stated, ‘hold ransomware actors and the countries who harbor them accountable.’ We agree that neither the private sector nor the government can fight this battle alone. We also reiterate, as we did in our testimony before the Senate and our public statements, that defense is only half of the equation which provides the solution to this national security threat.”

ISACA discusses the importance of security risk assessments and risk-informed decision making to cybersecurity protection.

Over the past two weeks, HHS’s Office for Civil Rights, which enforces the HIPAA Privacy and Security Rules announced its 19th patient right to access records settlement and a Security Rule related settlement.

ISACA provides a summary of the President’s executive order on cybersecurity issued earlier this month.

From the whoops I forgot to patch my system front

• The American Hospital Association reports that “Cyber actors continue to exploit vulnerabilities in the operating system for the Fortinet network security system, the FBI warned [Thursday May 27], noting that a group “almost certainly” exploited a Fortigate appliance this month to access a webserver hosting the domain for a U.S. municipal government. The agency said actors are actively targeting a broad range of victims across multiple sectors. The alert recommends actions to help organizations guard against the threat.” More background on the Fortinet situation is available on ZDNet.
• Bleeping Computer informs us that “A new ransomware threat calling itself Red Epsilon has been seen leveraging Microsoft Exchange server vulnerabilities to encrypt machines across the network. * * * The researchers found that the threat actor breached the enterprise network by exploiting unpatched vulnerabilities in on-premise Microsoft Exchange server. * * * Because of the critical severity, organizations across the world rushed to install the patches and in less than a month about 92% of the vulnerable on-premise Microsoft Exchange servers received the update.”
• Here is a link to the Bleeping Computers’ This Week in Ransomware for May 28, 2021.
• Also for MacOS users like the FEHBlog, Fortune reports that that “A newly discovered flaw in the macOS operating system could allow intruders to take screenshots, record video, or access files on a hard drive without the machine owner’s knowledge. * * * A type of malware, dubbed XCSSET, which was first discovered last year, has found a way to use permissions obtained by other apps to bypass TCC, giving it broad access to infected Macs. * * * Apple already has issued a patch to keep XCSSET from using this vulnerability and is encouraging anyone running macOS 11.4 or later to download it immediately.”

From the phishing front, Security Week alerts us that

The Russia-linked threat group believed to be behind the SolarWinds attack has been observed launching a new campaign this week. The attacks have targeted the United States and other countries, and involve a legitimate mass mailing service and impersonation of a government agency.

The latest attacks were analyzed by Microsoft, which tracks the threat actor as Nobelium, and by incident response firm Volexity, which has found some links to APT29, a notorious cyberspy group previously linked to Russia.

The campaign appears to have started on May 25 and Microsoft said it involved malicious emails being sent to roughly 3,000 accounts across over 150 organizations in 24 countries. The highest percentage of emails went to the United States, but Volexity also saw a significant number of victims in Europe.

Targeted organizations include government agencies, think tanks, NGOs, and consultants. Microsoft said at least a quarter of the targets are involved in human rights and international development work.

 Meanwhile Fortune reports that

Several cyber security startups like IronScales and Vade Secure are using machine learning to spot phishing emails. Venture capitalists are betting that these startups will eventually become big businesses.

Tessian co-founder and CEO Tim Sadler said that his startup analyzes a company’s corporate emails to discover patterns, such as common email addresses that people correspond with, which could indicate that they are messages to customers, for instance. The company then uses this data to train a machine-learning model, which can scan emails and flag those that are suspicious before employees click on them. 

The machine learning system also displays the reasons why it suspects an email is fraudulent, such as it featuring a strange web link or misspellings of employee names. * * *

One challenge facing companies trying to combat phishing is the rise of more realistic attacks aided by advances in natural language processing, a subset of A.I. that involves computers creating and understanding text. Bishop said that advances in powerful language models like OpenAI’s GPT-3 systemcould lead to criminals more easily creating phishing emails that appear to be personalized to particular recipients. For instance, such an email could contain an A.I.-generated message in which the writing style is similar to a worker’s boss, making it harder to spot a fraud. 

As a result, Tessian, and other companies, are on a quest to improve their A.I. to detect more advanced A.I.-powered phishing attacks, which could one day be as “prevalent as spam,” {Tessian co-founder and chief technology officer Ed] Bishop said.

It has been another crazy ransomware week as reflected in Bleeping Computer’s weekly update headlined “Healthcare Under Attack.”

The Wall Street Journal in an article about why the Colonial Pipeline paid ransom quotes “Ciaran Martin, the former head of the National Cyber Security Center, the British government’s cybersecurity agency.”

“There are three problems contributing to the ransomware crisis,” Mr. Martin said. “One is Russia sheltering organized crime. A second is weak cybersecurity in too many places. But the third, and most corrosive, problem is that the business model works spectacularly for the criminals.”

In that regard, Cyberscoop and the American Hospital Association report on the Conti ransomware gang which last week struck Ireland’s health system. Here is a link to the FBI’s May 20 alert on the Conti gang.

STAT and Becker’s Health IT brings us up to date on the May 1 ransomware attack on Scripps Healthcare in San Diego which was eclipsed publicly by the ransomware attack against Colonial Pipeline. The articles illustrate how these attacks have a lot of ramifications that can’t be cleaned up overnight.

ISACA and Security Boulevard provide insights into securing protected health information and other types of confidential data.

And let’s not lose sight of the SolarWinds cyberattack. SecurityWeek reports that

The hackers who carried out the massive SolarWinds intrusion were in the software company’s system as early as January 2019, months earlier than previously known, the company’s top official said Wednesday [May 20]. SolarWinds had previously traced the origins of the hack to the fall of 2019 but now believes that hackers were doing “very early recon activities” as far back as the prior January, according to Sudhakar Ramakrishna, the company’s president and CEO.

Also Wednesday, Ramakrishna apologized for the way the company blamed an intern earlier this year during congressional testimony for poor password security protocols. That public statement, he said, was “not appropriate.” “I have long held a belief system and an attitude that you never flog failure. You want your employees, including interns, to make mistakes and learn from those mistakes and together we become better,” he added. “Obviously you don’t want to make the same mistake over and over again. You want to improve.”

Particularly if you live on the East Coast, the Colonial Pipeline ransomware incident has given you practical familiarity with ransomware. Bleeping Computer provides the latest details on the denouement of the incident.

On Wednesday, President Biden issued an executive order on cybersecurity. Here’s link to the accompanying fact sheet and Nextgov and Cyberscoop also report on the EO. The EO focuses attention on the federal government and its information technology and operations technology contractors. The FEHBlog expects that the EO will kick loose a couple of Federal Acquisition Regulation cases a couple of related FAR cases (2017-013 and 2017-016) that have been under development for going on four years.

Health IT Security reports on “recent federal threat alerts detail ongoing Russian-backed and Avaddon ransomware campaigns targeting global entities, including healthcare and COVID-19 vaccine developers.”

ZDNet informs us that

Web applications represented 39% of all data breaches in the last year with phishing attacks jumping 11% and ransomware up 6% from a year ago, according to the Verizon Business Data Breach Investigations Report. 

The report, based on 5,358 breaches from 83 contributors around the world, highlights how the COVID-19 pandemic move to the cloud and remote work opened up a few avenues for cybercrime.

Here are some more figures to ponder in the Verizon Business DBIR [which alway worth a gander]:

• 85% of breaches involved a human element.
• 61% of breaches involved credentials.
• Ransomware appeared in 10% of breaches, double the previous year.
• Compromised external cloud assets were more common than on-premises assets in incidents and breaches.