Cybersecurity Saturday

From the cybersecurity policy front —

Cyberscoop reportsPort

A forthcoming White House cybersecurity strategy document aims to force large companies to shoulder greater responsibility for designing secure products and to redesign digital ecosystems to be more secure, Camille Stewart Gloster, the deputy national cyber director for technology and ecosystem security, said at a CyberScoop event Thursday. 

By “shifting the burden back from the smaller players” and toward larger players “that can build in security by design” the strategy aims to deliver broad security gains, Stewart Gloster said. The strategy documents also looks at how to “rearchitect our digital ecosystem” so “that we are creating future resilience,” she said. 

According to an early draft of the document obtained by Slate — which White House officials have emphasized is not a final document — the strategy includes a wide range of mandatory regulations on American critical infrastructure companies to improve security and authorizes law enforcement and intelligence agencies to take a more aggressive approach to hack into foreign networks to prevent attacks or retaliate after they have occurred. 

The strategy document is expected to broadly abandon the mostly voluntary approach that has defined U.S. policy in recent years in favor of more comprehensive regulation.

PortSwigger delves into the National Institute of Standards and Technology (NIST) plans for “significant changes to its Cybersecurity Framework (CSF) – the first in five years, and the biggest reform yet” as first noted here last week.

From the cyber vulnerabilities front —

The Cybersecurity and Infrastructure Security Agency (CISA) offers this alert

CISA assesses that the United States and European nations may experience disruptive and defacement attacks against websites in an attempt to sow chaos and societal discord on February 24, 2023, the anniversary of Russia’s 2022 invasion of Ukraine. CISA urges organizations and individuals to increase their cyber vigilance in response to this potential threat.

Security Week adds the perspective of “Several cybersecurity companies’ reports [that published] in the past week summarizing what they have seen in cyberspace since the start of the war.”

Cybersecurity Dive reports

  • “Phishing remained the top initial access vector for security incidents last year with more than 2 in 5 of all incidents involving phishing as the pathway to compromise, IBM research found.
  • “Three in 5 of all phishing attacks were conducted through attachments last year, according to IBM Security X-Force’s annual threat intelligence report released Wednesday. Phishing via links accounted for one-third of all phishing attacks. 
  • “One-quarter of attacks involved the exploitation of public-facing applications and 16% abused valid accounts for access. Just 1 in 10 involved external remote services.”

and

  • “Threat actors are shifting tactics and embracing new tools to run more efficient and impactful operations.
  • “Attackers are now often looking to build an economy of scale,” Wendi Whitmore, SVP of Unit 42 at Palo Alto Networks said Wednesday during a keynote at the company’s annual user summit.
  • “Instead of using one attack vector against one company, threat actors are targeting an entire supply chain.
  • “Likewise, instead of encrypting data, then decrypting it on the back end, ransomware groups can just steal the information and threaten to release it publicly if their ransom demand isn’t met.”

CISA added three more known exploited vulnerabilities to its catalog on February 21. It’s worth noting that CISA refreshed its website. As a result, CISA’s known exploited vulnerabilities reports now identifies the additions rather than require the reader to click over to the catalog. Bravo.

From the ransomware front, the Bleeping Computer provides no Week in Ransomware this week, but it does inform us about “A threat actor [that] has been targeting government entities with PureCrypter malware downloader that has been seen delivering multiple information stealers and ransomware strains.”

HHS’s healthcare sector cybersecurity coordination center (HC3) released the following alert

Russia-linked ransomware group Clop reportedly took responsibility for a mass attack on more than 130 organizations, including those in the healthcare industry, using a zero-day vulnerability in secure file transfer software GoAnywhere MFT. Cybersecurity & Infrastructure Security Agency (CISA) added the GoAnywhere flaw (CVE-2023-0669) to its public catalog of Known Exploited Vulnerabilities. This Sector Alert follows previous HC3 Analyst Notes on Clop (CLOP Poses Ongoing Risk to HPH Organizations and CLOP Ransomware) and provides an update on its recent attack, potential new tactics, techniques and procedures (TTPs), and recommendations to detect and protect against ransomware attacks.

The American Hospital Association adds

“The Russia-linked Clop ‘ransomware-as-a-service’ gang has been targeting health care since 2019, evolving its tactics to effectively combine ransomware and data theft in novel ways,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “Last month HC3 reported that Clop was infecting files disguised to look like medical documents, submitting them to providers and requesting a medical appointment. The objective is to deceive the recipient into clicking on the malicious document and infecting the organization with highly disruptive ransomware. Health care organizations should immediately apply the security patches recommended in these alerts and review the scope, security and necessity of secure file transfer systems.”

For more from the AHA click here, and Health IT Security discusses this Alert here.

To mitigate risk, HC3 urged organizations to patch the GoAnywhere MFT vulnerability where applicable. HC3 also encouraged healthcare organizations to “acknowledge the ubiquitous threat of cyberwar against them” and focus on educating staff and assessing enterprise risk against all potential vulnerabilities.

“Prioritizing security by maintaining awareness of the threat landscape, assessing their situation, and providing staff with tools and resources necessary to prevent a cyberattack remains the best way forward for healthcare organizations,” HC3 concluded.

HC3 posted an Analyst Note about MedusaLocker ransomware yesterday.

Ransomware variants used to target the healthcare sector, from relatively well-known cyber threat groups, continue to be a source of concern and attention. (See HC3 reports on Royal Ransomware and Clop Ransomware). Likewise, the threat from lesser known but potent ransomware variants, such as the MedusaLocker, should also be a source of concern and attention by healthcare security decision makers and defenders.

The Wall Street Journal sums it up with encouraging news

Extortion payments from ransomware, a hacking scourge that has crippled hospitals, schools and public infrastructure, fell significantly last year, according to federal officials, cybersecurity analysts and blockchain firms.

After ballooning for years, the amount of money being paid to ransomware criminals dropped in 2022, as did the odds that a victim would pay the criminals who installed the ransomware. With ransomware, hackers lock up a victim’s computer network, encrypting hard drives until victims pay.

Alphabet Inc.’s Mandiant cybersecurity group said it had responded to fewer ransomware intrusions in 2022—a 15% decrease from 2021. CrowdStrike Holdings Inc., another U.S. cybersecurity firm, said it saw a drop in average ransom-demand amounts, from $5.7 million in 2021 to $4.1 million in 2022, a decline the company attributed to disruption of major ransomware gangs, including arrests, and a decline in crypto values. Ransomware payments are generally made using cryptocurrency.

The blockchain-analytics firm Chainalysis Inc. says that payments that it tracked to ransomware groups dropped by 40% last year, totaling $457 million. That is $309 million less than 2021’s tally.

“It reflects, I think, the pivot that we have made to a posture where we’re on our front foot,” Deputy Attorney General Lisa Monaco said in an interview. “We’re focusing on making sure we’re doing everything to prevent the attacks in the first place.”