Cybersecurity Saturday

From Capitol Hill, Cyberscoop reports

A sweeping federal privacy bill unveiled Friday [June 3] would give Americans unprecedented control over how companies collect and use their data. 

The discussion draft was released by Sen. Roger Wicker, R-Miss., and Reps. Cathy McMorris Rodgers, R-Wa., and Frank Pallone, D-Mass. It represents the results of months of intense negotiations and is a step toward federal privacy protections long-awaited by civil society groups.

The 64-page privacy framework introduces a range of changes designed to give consumers more control over their data. It would require covered companies to limit data collection, allow consumers to turn off targeted advertisements, grant broad protections for Americans against discriminatory uses of their data and rein in third-party data collection.

The bill also carves out special protections regarding biometric data, a growing source of concern for privacy and human rights activists. Under the legislation, companies can only collect and share biometric data under specific instances including responding to a warrant and affirmative consent.

The FEHBlog notes that the data security and protection of covered data section 208 is integrated with the corollary HIPAA and Gramm-Leach-Bliley rules.

From the law enforcement front

Cybersecurity tells us

The FBI managed to detect and mitigate an attack by Iranian state-sponsored hackers against Boston’s Children’s Hospital last summer, FBI Director Christopher Wray revealed on Wednesday.

“Quick actions by everyone involved, especially at the hospital, protected both the network and the sick kids that were dependent on it,” Wray said at the Boston Conference on Cyber Security

Wray called the incident one of the “most despicable cyberattacks” he’s seen, but he noted that the threat was hardly an isolated one. In 2021 the FBI saw ransomware attacks against 14 of the 16 services deemed critical infrastructure by the U.S. government, including hospitals. The FBI issued a warning last November that Iranian hackers were seeking data that could be used to hack U.S. companies.

The agency has been “laser-focused” on potential threats to critical infrastructure resulting from the United States’ support of Ukraine during an ongoing invasion of the nation by Russia. The United States has observed Russia “taking specific preparatory steps towards potential destructive attacks, both here and abroad,” Wray said. And the fallout of those attacks could get worse.

Nextgov informs us

Federal law enforcement agencies have seized several internet domain names in pursuit of an international investigation into websites that permit users to buy stolen personal data and information or hack other networks. 

Announced on Wednesday [June 1], the domain names OVH Booter, WeLeakInfo and IPStress.in have all been procured by the Federal Bureau of Investigation and Department of Justice with a seizure warrant issued by a U.S. District Court for the District of Columbia. 

“Today, the FBI and the department stopped two distressingly common threats: websites trafficking in stolen personal information and sites which attack and disrupt legitimate internet businesses,” said U.S. Attorney Matthew Graves. “Cybercrime often crosses national borders. Using strong working relationships with our international law enforcement partners, we will address crimes like these that threaten privacy, security and commerce around the globe.”

From the vulnerabilities front over the last week

  • CISA has updated Cybersecurity Advisory AA22-138B: Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control, originally released May 18, 2022. The advisory has been updated to include additional indicators of compromise and detection signatures, as well as tactics, techniques, and procedures reported by trusted third parties. CISA encourages organizations to review the latest update to AA22-138B and update impacted VMware products to the latest version or remove impacted versions from organizational networks. 
  • Microsoft has released workaround guidance to address a remote code execution (RCE) vulnerability—CVE-2022-30190, known as “Follina”—affecting the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated attacker could exploit this vulnerability to take control of an affected system. Microsoft has reported active exploitation of this vulnerability in the wild. CISA urges users and administrators to review Microsoft’s Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability and apply the necessary workaround.  Bleeping Computer offers more details on Follina, and Wired offers an update on this Follina warning.
  • Atlassian has released new Confluence Server and Data Center versions to address remote code execution vulnerability CVE-2022-26134 affecting these products. An unauthenticated, remote attacker could exploit this vulnerability to execute code remotely. Atlassian reports that there is known exploitation of this vulnerability. CISA strongly urges organizations to review Confluence Security Advisory 2022-06-02 and upgrade Confluence Server and Confluence Data Center.
  • The Healthcare Cybersecurity Coordination Center offered a webinar on the Return of Emotet and the Threat to the Health Sector. Emotet has been called the world’s most dangerous malware.

From the ransomware front over the last week

The Wall Street Journal reports, “Russia-linked ransomware groups are splitting into smaller cells or cycling through different types of malware in attempts to evade a growing array of U.S. sanctions and law-enforcement pressure, cybersecurity experts say.”

CISA issued an alert on the Karakurt Data Extortion Group. “Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.”

Here is a link to the latest Bleeping Computer’s Week in Ransomware.

From the cyber defense front

  • Cyberscoop offers a video interview with Jim Richberg, Public Sector Field CISO and VP of Information Security at Fortinet concerning “important strategies to counter today’s heightened threat environment.”
  • ZDNet identifies five simple errors that can make your “cloud” an attractive target for hackers.
  • Security Week discusses four tactics to protect email systems.
  • Health IT Security delves into the topic of HIPAA Physical Safeguards.