From the cyber policy front, the FEHBlog noticed that OMB’s Office of Information and Regulatory Affairs recently had concluded its work on FAR Case 2017-016, a proposed rule on Controlled Unclassified Information (CUI). Surprisingly, the proposed rule has been withdrawn. The FEHBlog had been tracking this rule because health claims data is considered CUI.

From the cyber vulnerabilities front,

Tech Republic discusses “how credential phishing attacks threaten a host of industries and organizations.”

For the first half of 2022, email attacks against organizations rose by 48%, according to the report. Out of all those attacks, 68% were credential phishing attempts that contained a link designed to steal sensitive account information. Over the same time, 265 different brands were spoofed in phishing emails.

The HHS Health Sector Cybersecurity Coordination Center (HC3) released last week analyst notes on the following topics:

• Secure Message/Evernote Themed Phishing Campaign,

• Cloud Security Risk, and

• Open Source Intelligence How-To.

CISA added two new known exploited vulnerabilities to its catalog.

Cybersecurity Dive reports

Researchers from Rapid7 discovered 10 vulnerabilities in Cisco firewall and network security products, however after reporting them to the company in February and March, six of the flaws have not been fully patched. 

The vulnerabilities were found in Cisco Adaptive Security Software (ASA), ASDM and Firepower Services Software for ASA. Cisco has more than 300,000 security customers, and more than 1 million ASA devices are deployed worldwide. 

Most of the vulnerabilities allow attackers to execute arbitrary code, Jake Baines, lead security researcher at Rapid7, said via email. Rapid7 researchers presented the findings this week at Black Hat USA in Las Vegas.

From the ransomware front, CISA announced on August 11 that

CISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory (CSA), #StopRansomware: Zeppelin Ransomware, to provide information on Zeppelin Ransomware. Actors use Zeppelin Ransomware, a ransomware-as-a-service (RaaS), against a wide range of businesses and critical infrastructure organizations to encrypt victims’ files for financial gain.

CISA encourages organizations to review #StopRansomware: Zeppelin Ransomware for more information. Additionally, see StopRansomware.gov for guidance on ransomware protection, detection, and response. 

ZDNet delves into Zeppelin ransomware at this link.

Zeppelin actors are known to have demanded ransoms of several thousand dollars to in excess of $1 million. The advisory references Core Security’s research, which describes Zeppelin as a “well-organized” threat. 

Security Week reports

Profit-driven cybercriminals breached Cisco systems in May and stole gigabytes of information, but the networking giant says the incident did not impact its business.

Cisco on Wednesday released a security incident notice and a technical blog post detailing the breach. The intrusion was detected on May 24, but the company shared its side of the story now, shortly after the cybercriminals published a list of files allegedly stolen from its systems.

The level of attacker sophistication disclosed in the technical blog post is eye-opening.

Here is a link to Bleeping Computer’s The Week in Ransomware, which leads with the Cisco hack.

From the cyber defense front

An ISACA expert discusses the state of the cyber insurance market.

While premiums are leveling off, the hardening of the cyber insurance market is ongoing and will impact how policies are underwritten. In the meantime, organizations can benefit from improving their security and control postures with the goal of reducing insurance costs.

The Wall Street Journal reports

A group of 18 tech and cyber companies said Wednesday they are building a common data standard for sharing cybersecurity information. They aim to fix a problem for corporate security chiefs who say that cyber products often don’t integrate, making it hard to fully assess hacking threats.

Amazon. com Inc.’s AWS cloud business, cybersecurity companySplunk Inc. and International Business Machines Corp.’s security unit, among others, launched the Open Cybersecurity Schema Framework, or OCSF, Wednesday at the Black Hat USA cybersecurity conference in Las Vegas.

Products and services that support the OCSF specifications would be able to collate and standardize alerts from different cyber monitoring tools, network loggers and other software, to simplify and speed up the interpretation of that data, said Patrick Coughlin, Splunk’s group vice president of the security market. “Folks expect us to figure this out. They’re saying, ‘We’re tired of complaining about the same challenges.’”

Other companies involved in the initiative are CrowdStrike HoldingsInc., Rapid7 Inc., Palo Alto Networks Inc., Cloudflare Inc., DTEX Systems Inc., IronNet Inc., JupiterOne Inc., Okta Inc., Salesforce Inc.,Securonix Inc., Sumo Logic Inc., Tanium Inc., Zscaler Inc. and Trend Micro Inc.

From the cyber vulnerabilities front —

CISA released an alert on 2021 top malware strains and added one more known exploited vulnerability to its catalog.

The Health Sector Cybersecurity Coordination Center (H3C) released an analyst note on internet of things security and a PowerPoint presentation on the Open Web Application Security Project’s (OWASP) Top 10.

OWASP is a nonprofit foundation dedicated to improvingsoftware security, and its Top 10 is “a standard awareness document for developersand web application security that represents a broad consensus about the most critical security risks to web applications.”

Cybersecurity Dive reported last Tuesday

VMware disclosed yet another critical vulnerability that threat actors could exploit to bypass authentication in the same products that carried a similar defect in May with equal potential for severe damage.

The latest vulnerability, CVE-2022-31656, impacts VMware Workspace ONE Access, Identity Manager and vRealize Automation, according to an initial security advisory issued Tuesday by VMware. This is the second authentication bypass vulnerability to hit these products in less than three months.

VMware issued patches for three impacted products and rated the vulnerability in the critical severity range with a 9.8 score on the common vulnerability scoring system, bearing another similarity to the previous bug.

From the ransomware front, Bleeping Computer’s The Week in Ransomware is back. This issue concerns cyberinsurance.

Cybersecurity Dive reported last Monday

Ransomware and business email compromise accounted for more than two-thirds of all cyberattacks during the past 12 months, according to Palo Alto Networks’ Unit 42.

The pair of top attacks represent the most lucrative means by which threat actors can turn illicit network access into financial gain.

Software vulnerabilities accounted for nearly half of all cases of initial access used by threat actors to deploy ransomware, Unit 42 wrote in a report published last week. The outsized threat posed by software vulnerabilities is further exacerbated by threat actors that can scan the internet at scale for weak points.

and last Thursday

A new report created to help organizations navigate ransomware risks exemplifies the challenges small- to medium-sized businesses confront in the battle against just one of many cyberthreats. 

The recommendations, identified to help SMBs with limited cybersecurity expertise, include 40 safeguards. That’s a curated subset of the guidance in the Center for Internet Security’s critical security controls.

The report’s authors acknowledge not every organization has the resources to implement every safeguard immediately, but they maintain any actions taken, full or partial, represent a step in the right direction.

An ISACA experts offers an interesting perspective on “midgame” defenses against ransomware.

From the cyberdefense front —

The FEHBlog ran across this HHS 405(d) site with news and awareness resources. The awareness resources include information on data patching and security for small, medium, large businesses. “The 405(d) program is a collaborative effort between industry and the federal government to align healthcare industry security practices in an effort to develop consensus-based guidelines, practices, and methodologies to strengthen the healthcare and public health (HPH) sector’s cybersecurity posture against cyber threats.”

Health IT Security discusses about how to identify and address insider threats in healthcare.

CSO explains how to create defense in depth by layering tools and processes for better cybersecurity.

From the cyber breaches front, Health IT Security reports

Healthcare data breaches cost an average of $10.1 million per incident last year, IBM Security found in the 2022 edition of its “Cost of a Data Breach Report.” The figure signified a 9.4 percent increase from the 2021 report and a 41.6 percent increase from 2020. For the 12th consecutive year, the healthcare sector suffered the most expensive data breach costs compared to any other industry examined in the report. * * *

The use of stolen or compromised credentials remained the top cause of a data breach in the 2022 report, accounting for 19 percent of all analyzed breaches.

[P]hishing attacks emerged as the second most common cause of a breach, accounting for 16 percent of all analyzed breaches. Additionally, phishing was the most expensive breach type, averaging $4.91 million.

Business email compromise (BEC) averaged $4.89 million in costs, making it nearly as expensive as a phishing attack. Unsurprisingly, incidents that had the longest average times to identify and contain them were also the most expensive.

From the cybervulnerabilities front —

Cybersecurity Dive tells us

Threat actors are increasingly distributing malware via container files, including ISO and RAR, as well as Windows shortcut files (LMK), following prior decisions by Microsoft to block macros by default in Microsoft Office, according to Proofpoint research released Thursday.  

Microsoft previously disclosed plans to block XL4 and VBA macros in Office by default in October 2021 and February, respectively. 

Proofpoint researchers said the use of VBA and XL4 macros fell by 66%  between October 2021 and June of this year. The researchers call the movement one of the “largest email threat landscape shifts in recent history.”

CISA added another known exploited vulnerability to its catalog. Hackers News explains

The vulnerability, tracked as CVE-2022-26138, concerns the use of hard-coded credentials when the Questions For Confluence app is enabled in Confluence Server and Data Center instances. “A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group,” CISA notes in its advisory.

From the ransomware front, while regrettably Bleeping Computer’s The Week in Ransomware is off again this week, Bleeping Computer does report

Ransomware statistics from the second quarter of the year show that the ransoms paid to extortionists have dropped in value, a trend that continues since the last quarter of 2021.

Ransomware remediation firm Coveware has published a report today with ransomware data from the second quarter of 2022 showing that although the average payment increased, the median value recorded a significant drop.

This continues a downward trend since Q4 2021, which represented a peak in ransomware payments both average ($332,168) and median ($117,116).

“This trend reflects the shift of RaaS affiliates and developers towards the mid-market where the risk to reward profile of attack is more consistent and less risky than high profile attacks,” comments Coveware in the report.

“We have also seen an encouraging trend among large organizations refusing to consider negotiations when ransomware groups demand impossibly high ransom amounts.” The median size of the companies targeted this quarter dropped even further, with the actors looking for smaller yet financially healthy organizations to disrupt, the company says.

Security Week adds

Cybersleuths at Microsoft have found a link between the recent ‘Raspberry Robin’ USB-based worm attacks and EvilCorp, a notorious Russian ransomware operation sanctioned by the U.S. government.

According to fresh data from Redmond’s threat intelligence team, a ransomware-as-a-service gang it tracks as DEV-0206 has been caught rigging online ads to trick targets into installing a loader for additional malware previously attributed to EvilCorp.

Even more ominously, Microsoft said its research teams discovered EvilCorp malware distribution tactics and observed behavior all over the ‘Raspberry Robin’ worm seen squirming through corporate networks earlier this week.

The connection suggests the cybercriminals behind the EvilCorp operation are working with other groups to get around the U.S. Justice department sanctions that block ransomware extortion payments.

“The use of a RaaS payload by the ‘EvilCorp’ activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status,” Microsoft said. EvilCorp is allegedly run by Russian nationals Maksim Yakubets and Igor Turashev, who were charged by the United States in 2019. 

From the cybersecurity policy front, Cyberscoop reports

An amendment that includes cyber protections to defend “systemically important” critical infrastructure — such as large energy utilities, telecom providers and major financial institutions — won adoption in the U.S. House of Representatives Thursday.

The legislation is an outgrowth of the work of the Cyberspace Solarium Commission, which originally recommended a model similar to that envisioned in the bill. It mandates that the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) designate infrastructure needed for “national critical functions,” with operators at designated entities required to report to CISA the national cyber director on their management of cyber risk.

Designation will require organizations to disclose risk management strategies for critical assets and supply chains; share and receive threat intelligence with the government, and allow federal agencies to examine operations and assess performance-based security goals.

The amendment was made to the must-pass annual National Defense Authorization Act by voice vote. The Senate is working on its own version of the FY 2023 NDAA.

Cyberscoop adds, “The U.S. Chamber of Commerce criticized the amendment as written and sent a letter to all House members Wednesday, noting that many businesses’ “core policy goals” are not acknowledged, including legal liability protections and national preemption of state cybersecurity and protection laws.”

Health IT Security informs us

In its first-ever report, the Cyber Safety Review Board (CSRB) labeled Log4j (CVE-2021-44228) as an “endemic vulnerability” and said that vulnerable instances of Log4j could remain in systems for “a decade or longer.”

President Biden established the Cyber Safety Review Board in February 2022 as part of the administration’s executive order (EO 14028) on improving the nation’s cybersecurity. The Board is made up of 15 cybersecurity leaders from the federal government and the private sector and functions to review major cyber events and make suggestions for improving security in the private and public sectors.

For the report, CSRB reviewed instances of Log4j exploitation by engaging with approximately 80 organizations to gain an understanding of how organizations dealt with and are still dealing with Log4j.

Cybersecurity Dive explains

The [open source Log4j] vulnerability made it easy for threat actors to take control of compromised systems, and, since it was so difficult to spot without a comprehensive Log4j “customer list,” organizations struggled to identify and remediate it, according to the board. 

What made the vulnerability particularly disruptive is that a third party disclosed the flaw before the Apache Software Foundation, which supports Log4j, could create a fix, the review board said. A race between threat actors and companies to exploit or fix the vulnerability ensued.

Log4j highlighted how the open source community, often composed of volunteers, has inherent risks stemming from resource constraints. In response, the board called for public and private sector stakeholders to create a hub of centralized resources to better support the open source community. 

The board’s recommendations echo what the security industry has taken up as a battle cry in the last year: the software industry needs to change to create a better model of vulnerability management. 

Nextgov adds

[The CSRB] has said all it plans to say on the incident referred to as “SolarWinds,” under an executive order mandate. That order came in response to the intrusion event’s compromise of several federal agencies and high-profile tech companies.

“We have fully complied with the executive order,” said Rob Silvers, undersecretary for policy at DHS. “The White House and the Department of Homeland Security together determined that when the board was launched, that at that point in time, the best use of the board’s expertise and resources was to examine the recent events involved in the Log4j vulnerability.”

Cybersecurity Dive reports

A decades-old ambition to foster a worldwide, open, secure and interoperable internet hasn’t materialized. In lieu of that, cyberspace is more fragmented, less free and more dangerous, the Council on Foreign Relations wrote this week in a report.

The U.S. is losing the cyberspace race because it remains too rigidly focused on achieving traditional American values, such as global openness, to the detriment of domestic privacy legislation, the report said. Adversaries have exploited this weakness with alarming precision and are now projecting power and exerting influence in the digital realm.

Meanwhile, federal authorities are still organizing efforts for a more cohesive and effective response by identifying roles and responsibilities in government, and strengthening collaboration between agencies and enterprises.

Many challenges remain unmet. National Cyber Director Chris Inglis, during a keynote at last month’s RSA Conference, estimated the U.S. is about four-fifths of the way there before it can effectively “crowdsource [transgressors] the way they’ve crowdsourced us.”

NIST announced activating its brand new SP 800-53 Public Comment Site. Learn more about the SP 800-53 Comment Site, and leverage the online User Guide for step-by-step instructions on how to participate in the public comment process, available under “View Candidates” and “Provide comments on candidates.” NIST 800-53 is the only NIST publication mentioned in the OPM standard FEHB contracts.

From the cyber vulnerabilities front —

• HHS’s Healthcare Cybersecurity Coordination Council (HC3) released its report on June 2022 vulnerabilities of interest to the healthcare sector.

• CISA added “one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.”

• Cybersecurity Dive reports “U.S. companies are facing an enormous challenge in managing enterprise security, as almost half of all endpoint devices — including computers and other mobile devices — cannot be detected by IT departments or they are running on outdated operating system software, according to a study from Adaptiva and the Ponemon Institute released [last] Wednesday.” 

• Cybersecurity Dive also tells us, “Brute-force attacks remain, overwhelmingly, the most common threat vector for cloud service providers, comprising 51% of all attacks in the first quarter of 2022, according to analysis from Google Cloud. Threat actors automatically scan for and compromise misconfigured cloud services, but the continued use of weak or default passwords poses the greatest risk, Google’s Cybersecurity Action team concluded in its latest Threat Horizons report.”

From the ransomware front — while The Week in Ransomware’s writer is evidently on summer vacation, Bleeping Computer does alert us

Hackers are impersonating well-known cybersecurity companies, such as CrowdStrike, in callback phishing emails to gain initial access to corporate networks.

Most phishing campaigns embed links to landing pages that steal login credentials or emails that include malicious attachments to install malware.

However, over the past year, threat actors have increasingly used “callback” phishing campaigns that impersonate well-known companies requesting you call a number to resolve a problem, cancel a subscription renewal, or discuss another issue.

When the target calls the numbers, the threat actors use social engineering to convince users to install remote access software on their devices, providing initial access to corporate networks. This access is then used to compromise the entire Windows domain [by implementing ransomware code].

From the cybersecurity defense front —

• Cybersecurity Dive discusses the challenges facing mid sized employers. For example, “The rising cost of cyber insurance continues to be an issue for mid-sized companies. Research shows almost half of all the companies surveyed saw rate increases of 76% or more during the past year.”

• Speaking of which Cybersecurity Dive also reports, “The “vast majority” of cyber insurers plan to remain in the market over the next three years as the industry establishes an operations baseline to cope with very high claim volume, research from Panaseer released this week shows.  * * * [T]o keep up with demand, cyber insurers acknowledge the need to rethink the underwriting process. Nine out of 10 respondents want to create a consistent, metric-based approach to measuring an organization’s cyber risk, the survey of 400 cyber insurance decision makers shows.” 

From the policy front, Health IT Security reports that

In its latest report, the US Government Accountability Office (GAO) called on HHS to improve the healthcare data breach reporting process. Specifically, GAO urged HHS to create a mechanism for entities to provide feedback on the breach reporting process. * * *

HHS concurred with GAO’s recommendations and said it would begin soliciting feedback related to the breach reporting process.

“Specifically, OCR plans to add language and contact information to the confirmation email that regulated entities receive when they submit breach reports through the HHS Breach Portal to invite feedback and questions about the breach reporting process,” GAO stated.

“The agency also plans to implement procedures for OCR’s regional offices to regularly review and address emails received about the breach reporting process through their respective mailboxes. We will continue to follow-up with HHS to validate its implementation of this recommendation.”

Health IT Security adds that

GAO’s report also analyzed OCR’s methods of assessing whether covered entities had implemented recognized security practices, as required by the HIPAA Safe Harbor bill, a January 2021 amendment to HITECH.

To advance these efforts, in March 2022, OCR finalized standard operating procedures for investigators to use when assessing these security practices. Additionally, OCR issued a request for information to seek input on the contents of the recognized security practices in early April. OCR received feedback from a variety of industry groups and later announced that it would produce a video presentation on HITECH recognized security practices.

“OCR plans to finalize the review process for considering whether covered entities and business associates have implemented recognized security practices no later than the summer of 2022,” the report explained.

From the cyber vulnerabilities front —

CISA informs us

The Homeland Security Systems Engineering and Development Institute, sponsored by CISA and operated by MITRE, has released the 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list. The list uses data from the National Vulnerability Database to compile the most frequent and critical errors that can lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition. This year’s list also incorporates updated weakness data for recent Common Vulnerabilities and Exposure records in the dataset that are part of CISA’s Known Exploited Vulnerabilities Catalog.

CISA encourages users and administrators to review the 2022 CWE Top 25 Most Dangerous Software Weaknesses and evaluate recommended mitigations to determine those most suitable to adopt.

CISA added nine known exploited vulnerabilities to its catalog this week in this post and that.

Here’s a link to a ZDNet article about this CISA action.

From the ransomware front

CISA posted the following joint cybersecurity advisory yesterday (“CSA”) yesterday

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) are releasing this CSA to provide information on MedusaLocker ransomware. Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim’s data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address. MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments. Typical RaaS models involve the ransomware developer and various affiliates that deploy the ransomware on victim systems. MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom; and the developer, who receives the remainder. 

Download the PDF version of this report: pdf, 633 kb

Healthcare Dive adds

MedusaLocker operates under the ransomware as a service model, splitting payments with affiliates who typically get 55% to 60% of the proceeds. The group has been active as recently as May, launching phishing and spam email campaigns to gain initial access. 

A report from CyberReason said the MedusaLocker first emerged in late 2019, targeting companies across industries. The group was particularly active in the healthcare space, where many organizations were attacked in connection to the COVID-19 pandemic.

ZDNet tells us

A recently developed form of malware has quickly become a key component in powering ransomware attacks. 

The malware, called Bumblebee, has been analysed by cybersecurity researchers at Symantec, who’ve linked it to ransomware operations including Conti, Mountlocker and Quantum.  

“Bumblebee’s links to a number of high-profile ransomware operations suggest that it is now at the epicenter of the cyber-crime ecosystem,” said Vishal Kamble, principal threat analysis engineer on Symantec’s Threat Hunter team. 

Of course, here’s a link to Bleeping Computer’s The Week in Ransomware.

It has been relatively busy this week with new ransomware attacks unveiled, a bug bounty program introduced, and new tactics used by the threat actors to distribute their encryptors.

This week’s big news was the release of LockBit 3.0, which includes a new bug bounty reward program where the threat actors pay between $1,000 to $1 million for submitted bugs and new ways of enhancing their operation.

We also learned that a LockBit affiliate is distributing the ransomware through fake copyright infringement emails, Word docs are used to install AstraLocker directly, and the Black Basta gang is exploiting the PrintNightmare vulnerabilities.

From the cyberdefenses front

ZDNet reports

Many businesses will fail to see the benefits of their zero-trust efforts over the next few years, while legislation around paying off ransomware gangs will be extended and attacks on operational technology might have real-life consequences, according to set of cybersecurity predictions.

The list comes from tech analyst Gartner, which said business leaders should build these strategic planning assumptions into their security strategies for the next two years.

“We can’t fall into old habits and try to treat everything the same as we did in the past,” said Gartner senior director, Richard Addiscott. “Most security and risk leaders now recognize that major disruption is only one crisis away. We can’t control it, but we can evolve our thinking, our philosophy, our program and our architecture.”

[Here’s the list:}

1. Consumer Privacy Rights will be extended * * *

2. By 2025, 80% of enterprises will adopt a strategy to unify web, cloud services and private application access * * *

3. Many organizations will embrace zero-trust, but fail to realize the benefits * * *

4. Cybersecurity will become key to choosing business partners * * *

5. Ransomware payment legislation will rise * * *

6. Hackers will weaponize operational technology environments to cause human casualties [by 2025] * * *

7. Resilience will be about more than just cybersecurity * * *, and

8. Cybersecurity will matter for the CEO’s bonus * * *.

Cybersecurity Dive reports

Rate pressures on the cyber industry sector began to moderate as a surge in new buyers, and corporate enforcement of cyber hygiene led to a more stable market, according to research from global insurance firm Marsh released Wednesday.

Half of Marsh’s U.S. clients purchased standalone cyber insurance policies in 2021, almost double the 26% of clients in 2016. More businesses understand the financial risks of a cyberattack affecting their bottom line, Marsh said.

Meanwhile, cyber insurance rates are leveling out. Rate increases have steadily dropped from the high reached in Dec. 2021 when businesses paid, on average, 133% more for cyber insurance year over year. That rate increase dropped to 107% in March and 90% in April. Research firm AM Best also found a more moderate pace of rate increases in Q1, Chris Graham, senior industry analyst, said.

Health IT Security adds

Surveyed healthcare cybersecurity leaders reported leveraging multifactor authentication (MFA), identity and access management, and privileged access management (PAM) solutions in hopes of lessening the likelihood of a cyber insurance premium hike, a report from Imprivata conducted by WBR Insights found.

Closer to the desktop, Cybersecurity Dive tells us

Google is rolling out key updates to its password management capabilities as part of an effort to boost security across multiple operating systems and browsers for mobile and desktop users, the company said in an announcement Thursday.

Google Password Manager users will now have the same unified experience whether using Chrome or Android, and iPhone users can now manage passwords through the iOS platform.

Google will automatically warn users about compromised credentials, on top of reused and weak passwords. In addition, Google will warn users about compromised passwords on a range of operating systems and platforms, including Android, Chrome OS, Windows, iOS, MacOS and Linux.

From Capitol Hill, Security Week reports

Two bipartisan cybersecurity bills were signed into law on Tuesday, June 21, 2022, by US President Joe Biden: the Federal Rotational Cyber Workforce Program Act of 2021, and the State and Local Government Cybersecurity Act of 2021.

The Federal Rotational Cyber Workforce Program Act, which has been around since 2018, proposes a program under which certain federal employees can be temporarily moved to other agencies in an effort to boost their skills.

Agencies can determine whether a position involving IT or cybersecurity is eligible for the program. The Office of Personnel Management is tasked with creating an operation plan, and the Government Accountability Office must assess the effectiveness of the program.

The State and Local Government Cybersecurity Act of 2021, is meant to improve collaboration between the Department of Homeland Security and state, local, tribal and territorial governments.

From the cyber vulnerabilities front —

Health IT Security informs us

Application Programming Interface (API) adoption is steadily increasing in the healthcare sector, but APIs do not come without cybersecurity risks. In fact, Gartner predicted that API attacks would become the most common attack vector by 2022.

Application Programming Interface (API) adoption is steadily increasing in the healthcare sector, but APIs do not come without cybersecurity risks. In fact, Gartner predicted that API attacks would become the most common attack vector by 2022.

In healthcare, evidence suggests that API adoption could revolutionize interoperability efforts and health data exchange. In addition, providers are increasingly implementing APIs to comply with the CMS Interoperability and Patient Access final rule. Meanwhile, the HL7 Fast Healthcare Interoperability Resources (FHIR) standard is quickly gaining recognition in the health IT space.

In a recent report, Imperva partnered with the Marsh McLennan Global Cyber Risk Analytics Center to analyze API-related incident data and quantify the cost of API insecurity. Researchers discovered that the lack of security APIs may cause $12 billion to $23 billion in average annual API-related cyber loss in the US and anywhere from $41 billion to $75 billion globally.

“These estimates provide a view on losses that are entirely avoidable,” the report suggested.

“If companies made an upfront investment in properly securing all of their APIs, their API-related losses could decrease significantly even as their API adoption continues to increase.”

Cybersecurity Dive tells us

Malicious actors continue to dog VMware Horizon and Unified Access Gateway server deployments, capitalizing on unpatched Log4Shell, the Cybersecurity and Infrastructure Security Agency said Thursday in a joint advisory with the U.S. Coast Guard Cyber Command.

The agencies are calling for organizations to update all VMware Horizon and UAG systems and, if fixes weren’t applied in Dec. 2021, organizations should consider their systems compromised and start threat hunting. 

Cybersecurity Dive adds

Two of every five organizations don’t have strong confidence in their open source software security, according to a joint study from The Linux Foundation and Snyk, a firm that specializes in developer security. Just half of organizations actually have a security policy related to open source development or usage, the research showed. 

The average application development project has 49 vulnerabilities and 80 direct dependencies, according to the report. 

The time required to fix vulnerabilities in open source more than doubled to 110 days in 2021, compared with 41 days during 2018, the report found.

From the ransomware front, we have a link to the latest Bleeping Computer’s The Week in Ransomware.

The Conti ransomware gang has finally ended their charade and turned off their Tor data leak and negotiation sites, effectively shutting down the operation.

Since May, a lone Conti member has been posting data from older victims to make the gang appear alive, but in reality, Conti shut down last month.

The members are now long spread out in smaller cells among different operations, making it more challenging to target the crime syndicate.

From the cyber defenses front, ISACA reports on “Why (and How to) Dispose of Digital Data.”

From the cyberattack front, Federal News Network reports

A D.C. federal judge this week preliminarily approved a $63 million settlement as part of a class action lawsuit brought by victims of the breach into OPM databases. The breach was uncovered in 2015. By then, hackers had stolen the records of nearly 22 million current and former federal employees. The Chinese government is widely thought to be behind the attack. The proposed settlement would only compensate those who can prove they were financially affected by the breach. The court’s order set a Dec. 23 deadline to submit a claim.

Health IT Security adds “Shields Health Care Group reported a healthcare cyberattack to HHS impacting 2 million individuals. The Massachusetts-based healthcare group provides MRI, PET/CT, and ambulatory surgical services to patients across New England at more than 30 locations.”

From the cybervulnerabilities front, Cyberscoop explains

When the Cybersecurity and Infrastructure Security Agency [CISA] debuted its list of known, exploited vulnerabilities in November, it was nearly 300 flaws long and came attached to an order for federal agencies to fix them quickly.

Now, as of this week, the catalog known as “KEV” or the “Must-Patch” list is well on its way to 800 listings, and it’s the “No. 1 topic” that CISA Executive Director for Cybersecurity Eric Goldstein says comes up in his frequent, daily meetings with businesses.

The reason, said Goldstein, is that the private sector has — without any order from his agency — adopted the KEV list as a guide for the vulnerabilities they focus on, rather than relying on the traditional open-source industry standard Common Vulnerability Scoring System for assessing the severity of software weaknesses.

This week, CISA first added 36 and then three more known, exploited vulnerabilities to its catalog.

The HHS Health Sector Cybersecurity Coordination Center posted its May report about vulnerabilities of interest to the health sector.

Cybersecurity Dive updates us on Microsoft’s Follina and Atlassian’s Confluence recent zero-day vulnerabilities.

CISA released a joint federal agency alert on People’s Republic of China-sponsored cyber actors.

From the ransomware front, Security Week reports

It doesn’t pay to pay [ransom]. This advice on ransomware payment is often given, but rarely enumerated. Now it has been. A new study finds that 80% of companies that paid a ransom were hit a second time, with 40% paying again. Seventy percent of these paid a higher amount the second time round.

These figures come from an April 2022 Cybereason study that queried 1,456 cybersecurity professionals from organizations with 700 or more employees. The shocking nature of the statistics, published in Ransomware: The True Cost to Business (PDF) go much deeper. 

It’s not a problem that can be ignored with the vague belief, ‘it won’t happen to me’. Seventy-three percent of organizations have suffered at least one ransomware attack in the past 24 months – up 33% from last year.

Sixty percent of companies admitted ransomware gangs had been in their network from one to six months before they were discovered – a key indicator of a double extortion attack. But paying the double extortion fee doesn’t really help; nearly 200,000 companies never received their data back after paying. And the criminals still have the data regardless. Thirty-five percent of companies suffered C-level ‘resignations’ because of a ransomware attack.

Other key findings of the research include the prevalence of the supply chain as a factor in the attack. Sixty-four percent of companies believe the ransomware gang got into their network via one of their suppliers or business partners.

Health IT Security adds

Healthcare ransomware attacks are not slowing down, prompting an increased demand for reliable cyber insurance policies. But as healthcare cyberattacks skyrocket, cyber insurers are pushing up prices or leaving the market altogether, Sophos stated in its “State of Ransomware in Healthcare 2022” report.

Sophos surveyed 5,600 IT professionals, including 381 in healthcare, to garner insights on how healthcare organizations are navigating the cyber threat landscape.

The report found that 66 percent of surveyed healthcare organizations were hit by ransomware in 2021, up from just 34 percent in 2020. About 61 percent of those attacks resulted in data encryption. Survey results also revealed that healthcare was the most likely sector to pay a ransom. Just over 60 percent of respondents who experienced encryption admitted to paying the ransom, compared to a cross-sector average of 46 percent.

Here is a link to Bleeping Computer’s Week in Ransomware.

From the cyber defense front, here are links to a Wall Street Journal report on personal password management and a CISA article on multi-factor authentication.