Cybersecurity Saturday

From Capitol Hill, per Nextgov, “the House [of Representatives] on Tuesday passed the NDAA conference report—language House and Senate Armed Services Committee leaders agree on that reconciles versions of the bill from each chamber. The next step is a vote on the conference report by the Senate.  (H.R. 4350).

Nextgov adds

“There were intensive efforts to get cyber incident reporting done but ultimately the clock ran out on getting it in the NDAA,” House Homeland Security Committee Chairman Bennie Thompson, D-Miss and Rep. Yvette D. Clarke, D-NY, who chairs the committee’s panel on cybersecurity, said in a joint statement Tuesday.

The annual Defense Authorization Act still “initiates the widest empowerment and expansion of CISA through legislation since the SolarWinds incident,” according to a summary of the bill released by the House Armed Services Committee Tuesday

The bill gives CISA added responsibilities around identifying threats to industrial control systems, and removing cybersecurity vulnerabilities while establishing voluntary partnerships with industrial control system and internet ecosystem companies. 

From the government initiative front, Health IT Security reports that

HHS launched a new website for its 405(d) Program with the goal of aligning healthcare cybersecurity across the industry. Under the Cybersecurity Act of 2015, HHS established the 405(d) Aligning Health Care Industry Security Approaches Program and the 405(d) Task Group, which is comprised of more than 150 industry and government experts.

The program aims to uphold the motto that “cyber safety is patient safety,” and its website contained resources, videos, products, and tools to help raise awareness and promote cybersecurity best practices, the HHS announcement stated.

“Healthcare professionals understand the importance of hand washing when it comes to mitigating the spread of diseases. Similarly, we know that cybersecurity practices reduce the risk of cyber-attacks and data breaches,” the website maintained.

Also the HHS Cybersecurity Program issued a healthcare sector alert yesterday

A highly utilized application called Log4j contains a severe, known vulnerability that is being actively and aggressively attacked. Upon successful exploitation, a compromised system or device can be used to execute arbitrary code, which can serve as the beginning of a larger cyberattack potentially resulting in any number of effects including data exfiltration and ransomware. HC3 advises healthcare and public health organizations to survey their infrastructure and ensure they are not running vulnerable versions of Log4j. Any vulnerable systems should be upgraded, and a full investigation of the enterprise network should commence to identify possible exploitation if a vulnerable version is identified.

Report

Log4j is a very common Java library/framework that provides logging capabilities to any number of software platforms that it serves. In late November, a remote code execution (RCE) vulnerability (tracked as CVE-2021-44228) was identified in certain versions which are now being actively exploited in the wild. Proof of concept exploit code has been circulating social media for several days and is publicly posted on well-known code repositories. The Log4j software is maintained by Apache and they have released an update which should be deployed (after testing, as needed) across all vulnerable devices in the enterprise in a timely manner.

From the interviews department

  • Tech Republic interviews Walgreens Boots Alliance CTO Mike Maresca “about what keeps him up at night and why building internal and external partnerships is key for digital transformation success.”
  • The Wall Street Journal interviews Kathy Hughes, the CISO for Northwell Health, a hospital / healthcare system in New York City and Long Island, and Joey Johnson, the CISO for Premise Health, which offers health and wellness services to employers, among others. This tidbit from the interview grabbed the FEHBlog’s attention:

WSJ: Can you briefly explain a couple of technologies that you had to deploy?

MS. HUGHES: The most significant one was, because we had seen such an uptick in phishing emails, we deployed a technology that actually does a live scan of a URL when it’s clicked within an email. The technology that we had before, if a URL had been accessed that was previously determined and rated to be malicious, it would be blocked. But this enabled us to do that in real time

Cool.

From the hacking front, Cyberscoop reports

Hackers associated with the SolarWinds supply chain compromise have been busy in the year since that attack was revealed, compromising multiple cloud solution companies with the goal of stealing data relevant to Russian interests and finding routes to additional victims, new research reveals.

Findings published Monday [December 6] by a team of analysts at Mandiant collate previous observations and analysis — along with the efforts of “hundreds of consultants, analysts and reverse engineers — to paint a picture of potentially distinct groups working alongside or within a more established Russian intelligence hacking group known as Nobelium, a name given to the group by Microsoft. The group is also known as Cozy Bear.

Last but never least, here is a link to Bleeping Computer’s The Week in Ransomware.

This week has quite a bit of ransomware news, including arrests, a new and sophisticated ransomware, and an attack bringing down 300 supermarkets in England.

This week’s biggest story is a law enforcement operation conducted by the FBI and Ontario Provincial Police (OPP) that arrested a Candian ransomware affiliate allegedly involved in hundreds of attacks.

We also learned about the new ALPHV (aka BlackCat) ransomware that appears to be one of the most sophisticated ransomware families we have seen this year.

Finally, this week’s largest known ransomware attack was on James Hall and Co, which affected point-of-sale systems and led to the temporary closing of over 300 Spar supermarkets in England. This week’s other known attack is on Nordic Choice Hotels by the Conti ransomware gang.