Cyberscoop and Federal News Network discuss the history and next steps of the cyber incident reporting rules found in Division Y of the Consolidated Appropriations Act, 2022.

In other policy news, Healthcare Dive offers an interview with National Coordinator for Health IT Micky Tripathi in which he “shared his thoughts on the scope and content of the interoperability complaints, when industry can expect penalties for providers found information blocking and how the government plans to build on TEFCA moving forward.”

Health IT Security informs us

The Biden-Harris Administration recently called on all private sector organizations to immediately harden their cyber defenses in preparation for potential Russian cyberattacks.  

“My Administration will continue to use every tool to deter, disrupt, and if necessary, respond to cyberattacks against critical infrastructure,” Biden stated publicly.

While there have been no direct threats against healthcare, the sector is known to be a top target for cyberattacks. The Health Sector Cybersecurity Coordination Center’s (HC3) most recent threat brief outlined a detailed history of Russian attacks on US healthcare entities.

Conti ransomware group, which has ties to Russia, was connected to at least 300 cyberattacks against US-based organizations. Conti claimed responsibility for at least 16 US healthcare sector cyberattacks.

HC3 listed past attacks committed by NotPetya, FIN12, and Ryuk, all of which have ties to Russia. In addition, the government identified two new forms of disk-wiping malware, HermeticWiper and WhisperGate, which threat actors used to attack Ukrainian organizations shortly before Russia’s invasion.

Echoing the President’s sentiments, HC3 and Health-ISAC released a statement warning the healthcare sector to take the Administration’s advice and tighten security controls.

Health IT Security adds

Of all critical infrastructure sectors, the healthcare sector faced the most ransomware attacks in 2021, the Federal Bureau of Investigation’s (FBI) 2021 Internet Crime Report revealed. The FBI’s Internet Crime Complaint Center (IC3) also observed a 7 percent increase in total internet crime complaints in 2021 compared to 2020.  

Phishing scams, non-payment or non-delivery scams, and personal data breaches were the most reported cybercrimes in 2021, the report continued. The victims tracked by the IC3 in 2021 lost over $6.9 billion in total, thanks to a multitude of cyber threats. Many of those cyber threats hid in plain sight, disguising themselves as legitimate investment opportunities, tech support, and real estate prospects.

The IC3 received 148 complaints of healthcare ransomware attacks. The next-highest number came from the finance sector, with just 89 complaints.

Looking at the issue from the perspective of a different data source, Politico reports

Nearly 50 million people in the U.S. had their sensitive health data breached in 2021, a threefold increase in three years, according to a POLITICO analysis of the latest HHS data.

Health care organizations including providers and insurers in every state except South Dakota reported such incidents last year. About half of states and Washington, D.C., saw more than 1 in 10 of their residents directly impacted by unauthorized access to their health information, according to the analysis. And hacking accounted for nearly 75 percent of all such breaches — up from 35 percent in 2016.

Experts say the increased hacking can be attributed to the health care industry’s rapid move to digital, particularly amid the Covid-19 pandemic; an increase inremote work, which allows more avenues for attacks with employees using more personal devices; the financially lucrative information for cybercriminals in health care; and greater awareness of attacks across the industry, thus more reporting.

Also from the cyberthreat front —

• “The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE) published a joint Cybersecurity Advisory [on March 24] with information on multiple intrusion campaigns targeting U.S. and international energy sector organizations conducted by indicted Russian state-sponsored cyber actors from 2011 to 2018. In conjunction with the U.S. Department of Justice unsealed indictments today, this advisory provides the technical details of a global energy sector intrusion campaign using Havex malware, and the compromise of a Middle East-based energy sector organization using TRITON malware.”  

• CISA added “66 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow on the of the “Date Added to Catalog” column, which will sort by descending dates.”

• TechRepublic reports “A relatively new cybercriminal group has quickly gained an infamous reputation for its unique tactics and successful attacks against several major organizations. Known as Lapsus$, the gang uses social engineering to target its victims and has reportedly hit such companies as Samsung, Okta, NVIDIA and Microsoft. In a blog post published Tuesday, Microsoft provides insight into the group’s tactics and techniques and offers tips on how to protect your organization from these attacks.”

• The FBI and Treasury’s FinCen released “a joint Cybersecurity Advisory identifying indicators of compromise associated with AvosLocker ransomware. AvosLocker is a ransomware-as-a-service affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including, but not limited to, the Financial Services, Critical Manufacturing, and Government Facilities sectors.”

• Here is a link to Bleeping Computer’s The Week in Ransomware.

From the cyber defense and responsibilities front —

• The Department of Health and Human Services released “guidance to clarify covered entities’ obligation to require that business associates comply with HIPAA regulations, as specified by 45 Code of Federal Regulations (C.F.R.) § 162.923(c).”

• Cybersecurity Dive discusses “how to keep business operations running after a cyber incident.”

• ZDNet offers small business and individuals Windows 11 security advice.

Following up on the President’s signature of the Consolidated Appropriations Act on March 15, Cybersecurity Dive discusses the new critical infrastructure cyberattack reporting requirements. Those requirements will take effect after the Cybersecurity and Infrastructure Security Agency issues implementing regulations. Those regulations, in turn, will let us know whether and to what extent healthcare entities are part of the critical infrastructure subject to the new reporting requirements.

From the vulnerability front, the HHS Cybersecurity Program released its February 2022 vulnerability bulletin on March 18.

Tech Republic reviews the latest vulnerabilities that CISA has added to its catalog.

More specifically, Bleeping Computer informs us

The Federal Bureau of Investigation (FBI) warns of AvosLocker ransomware being used in attacks targeting multiple US critical infrastructure sectors.

This was disclosed in a joint cybersecurity advisory published this week in coordination with the US Treasury Department and the Financial Crimes Enforcement Network (FinCEN).

“AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including, but not limited to, the Financial Services, Critical Manufacturing, and Government Facilities sectors,” the FBI said [PDF].

Cybersecurity Dive adds

The FBI and Cybersecurity and Infrastructure Security Agency on Tuesday warned U.S. organizations about Russian state-sponsored threat actors exploiting the PrintNightmare vulnerability, as well as misconfigured account settings used in multifactor authentication (MFA) to launch attacks. 

The threat actors were able to launch an attack against a non-government organization (NGO) dating back to May 2021 using a misconfigured MFA setting set to default. They used the flaw to enroll a new device and gained network access, according to the bulletin. The attackers later exploited the PrintNightmare vulnerability to steal documents after gaining access to the cloud and email accounts. 

Separately, ESET researchers are warning about a third data wiping malware called CaddyWiper, which destroys user data and partition information. The wiper was found Monday on several dozen systems in a limited set of organizations in Ukraine, but does not share code similarities with either HermeticWiper or IsaacWiper.

From the ransomware front

• Here’s a link to the latest The Week in Ransomware” from the Bleeping Computer.

• Cyberscoop reports

In early September, researchers with Google’s Threat Analysis Group started tracking a financially motivated hacking group exploiting a since-patched Microsoft vulnerability to gain access to targeted computers. 

Later it became clear that the group is what’s known as an initial access broker — a crew specializing in gaining entry to high-value networks and selling that access to other cybercriminals — and that it is closely affiliated with the notorious Conti ransomware organization.

In findings published Thursday, the Google researchers detail how the group they’re calling “Exotic Lily” employed relatively novel tactics to gain access to targets, and how, at its peak, the hackers sent an estimated 5,000 emails per day to as many as 650 targeted organizations globally.

From the cyberdefense front

• The HIPAA Journal assesses the March 2022 cybersecurity newsletter from HHS’s Office for Civil Rights, the agency that enforces the HIPAA Privacy and Security Rules.

• Next Gov explains the new NIST Publication 800-172A

As the government looks to tighten procurement regulations for critical software, the National Institute of Standards and Technology issued a special publication detailing appropriate ways to assess an organization’s adherence to the agency’s go-to list of enhanced security requirements for protecting controlled but unclassified information.  

“Assessors obtain evidence during the assessment process to allow designated officials to make objective determinations about compliance to the CUI enhanced security requirements,” reads NIST guidance—SP 800-172A—published Tuesday. “The evidence needed to make such determinations can be obtained from various sources, including self-assessments, independent third-party assessments, government-sponsored assessments, or other types of assessments, depending on the needs of the organization establishing the requirements and the organization conducting the assessments.”

• The Wall Street Journal offers an article by Stuart Madnick, who is the John Norris Maguire Professor of Information Technologies, Emeritus, at the MIT Sloan School of Management and the founding director of the Cybersecurity at MIT Sloan (CAMS) research consortium. Mr. Madnick explains why “[u]nless organizations fix the internal decision-making that allowed a cyberattack to occur, they could be vulnerable to further breaches, researchers say.”

Following up on last week’s post on Google’s acquistion of Mandiant, Cybersecurity Dive puts that transaction in perspective.

“Let’s face it, Google’s in a sort of a death race with AWS and Azure in terms of cloud supremacy, right,” said Garrett Bekker, a principal research analyst with S&P Global’s 451 Research. “To some extent, security is a tool that helps them get there more than an end in and of itself.”

Google’s gobbling up of Mandiant is the latest in a sector feeding frenzy. There were more than 200 M&A deals last year, with aggregate disclosed deal valuations exceeding $55 billion. In the past five years, there were more than 1,000 cybersecurity M&A deals, data from CB Insights show. 

This week recorded a $616.5 million acquisition, with SentinelOne’s plans to add Attivo Networks’ identity security to its XDR suite. 

Cyberscoop reports

The Senate cleared legislation Thursday evening that would make the Cybersecurity and Infrastructure Security Agency (CISA) a hub to receive mandatory industry reports about major cyber incidents and ransomware payments, as well as boost its budget 22% over last year.

Security Week adds

[The new law] requires any entity that’s considered part of the nation’s critical infrastructure, which includes the finance, transportation and energy sectors, to report any “substantial cyber incident” to the government within three days and any ransomware payment made within 24 hours.

[It] also empowers CISA to subpoena companies that fail to report hacks or ransomware payments, and those that fail to comply with a subpoena could be referred to the Justice Department for investigation.

The FEHBlog examined the new’s law definition of a covered entity and it appears to be sufficiently broad to encompass healthcare.

The FEHBlog learned that the cyber reporting provisions are found in Division Y of the Consolidated Appropriations Act, 2022 (the new law’s official name) and the cyber reporting requirements will take effect following CISA promulgation of implementing rules.

In related news, Bleeping Computer reports

The US Securities and Exchange Commission (SEC) has proposed rule amendments to require publicly traded companies to report data breaches and other cybersecurity incidents within four days after they’re determined as being a material incident (one that shareholders would likely consider important).

“In some cases, the date of the registrant’s materiality determination may coincide with the date of discovery of an incident, but in other cases the materiality determination will come after the discovery date,” the Wall Street watchdog explained.

According to newly proposed amendments to current rules, listed companies would have to provide information in periodic report filings on policies, implemented procedures, and the measures taken to identify and manage cybersecurity risks on Form 8-K.

The amended rules would also instruct companies to provide updates regarding previously reported security breaches.

In cybersecurity business news, the Wall Street Journal informed us on March 8

Google said it reached a deal to buy cybersecurity company Mandiant Inc.for nearly $5.4 billion, aiming to bolster its cloud unit with more cybersecurity offerings at a time when businesses have seen a wave of attacks on their systems.

The deal is the second-largest in history for the Alphabet Inc.GOOG -1.66% unit and comes as the company is facing antitrust lawsuits from the Justice Department and multiple states for allegedly anticompetitive practices. 

In buying Mandiant, Google provides a boost to its cloud business, which is rapidly growing but remains smaller than its key rivals. In the most recent quarter, the business saw revenue rise by about 45% to $5.54 billion, or about 7% of the company’s total quarterly revenue.

Thomas Kurian, chief executive of Google Cloud, said that Google wanted to draw from the insights of Mandiant’s threat research in how it applies security solutions to its products, and that the computing giant intended to retain the Mandiant brand. * * *

The companies said the deal is expected to close later this year. Google has faced intense regulatory scrutiny for smaller acquisitions. It took more than a year for Google to close its $2.1 billion acquisition of Fitbit LLC as regulators took a close look at the deal.

From the cyberthreat front, the HHS Cybersecurity Program this past week issued alerts on “PTC Axeda agent and Axeda Desktop Server Vulnerabilities” and a Conti ransomware update. Health IT Security reported on the Conti ransomware update here.

Conti actors typically gain initial access via spearphishing campaigns, stolen Remote Desktop Protocol (RDP) credentials, fake software promoted via search engine optimization, or common asset vulnerabilities.

CISA updated the advisory to include new indicators of compromise, including new domains that had registration and naming characteristics that were similar to those used by Conti in the past.

US organizations, especially in the healthcare sector, should remain on high alert and implement technical safeguards to prevent cyberattacks. Organizations should adopt multi-factor authentication, network segmentation, and frequent vulnerability scanning.

In addition, the advisory recommended that organizations remove unnecessary applications, implement endpoint and detection response tools, restrict access to RDP, and secure user accounts.

In other cybersecurity news, Health IT Security tells us

Although cyberattacks and data breaches have bombarded the healthcare sector in recent years, recent research from Immersive Labs found that healthcare conducts cyber incident response exercises far less than other industries.

Immersive Labs analyzed 35,000 members of the cybersecurity workforce from a variety of industries and found that the healthcare sector conducted only two cyber crisis exercises per year on average. The technology and financial services sectors conducted nine and seven crisis exercises per year on average, respectively.

It makes sense that highly targeted industries like technology and finance would prepare accordingly. But healthcare is an equally high-profile and highly regulated cyberattack target, making the lack of crisis response exercises troubling.

From Capitol Hill, Cyberscoop reports

The Senate passed legislation (S. 3600) Tuesday evening requiring critical infrastructure owners to report to the feds when they suffer a major cyberattack or make a ransomware payment — shaking loose a bill that got stuck in the chamber last year.

Under the measure, which now moves to the House for potential consideration, those critical infrastructure owners and operators as well as federal agencies would have to disclose a significant incident to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency within 72 hours. The same owners and operators would have to report any ransomware payments to CISA, too, only within 24 hours.

Its intent is to give CISA the information it needs to more widely share threat data to help curtail major cyberattacks rippling through key targets, such as what happened in late 2020 when federal contractor SolarWinds suffered a compromise that ended up spreading to federal agencies and major tech companies.

The bill also contains other provisions designed to strengthen federal agencies’ digital defenses. The package got sidelined at the end of 2021 when lawmakers couldn’t resolve a dispute in time over whom the ransomware requirements should apply to, leaving it out of an annual defense policy bill that Congress has enacted for 61 straight years.

The Senate, which passed the bill by unanimous consent, sent S. 3600 over to the House of Representatives for its consideration.

From the Ukrainian war front —

• CISA continues to update its Shields Up website.

• The HHS Cybersecurity Program issued an Analysts Note on “The Russia-Ukraine Cyber Conflict and Potential Threats to the US Health Sector.:

• Cybersecurity Dive informs us

With the risk of cyberattacks on the rise due to the war in Ukraine, experts say HR teams should be increasingly vigilant for threats that will disrupt operations.

Beyond phishing trainings and ransomware education, HR may feel divorced from cybersecurity concerns. In the event of an outage or attack, however, people operations managers will be the ones to put their companies back on track, serving as a key liaison between the IT department and company staff at large, so preparation is key.

“HR has historically been responsible for communicating policies and work expectations even if they aren’t produced through a written policy. That’s really what’s necessary for cybersecurity to be effective,” Elizabeth Chilcoat, an associate at Sherman & Howard, said. 

It’s HR’s job to break down post-attack protocol into layman’s terms, both to keep the peace internally and for compliance reasons, she said. 

• The American Hospital Association offers a podcast and other resources concerning “Russia, Ukraine and Cybersecurity in U.S. Health Care Sector.”

More generally, on Thursday, the HHS Cybersecurity Program posted a PowerPoint on “Health SeZdctor Cybersecurity: 2021 Retrospective and 2022 Look Ahead,” and Bleeping Computer’s The Week in Ransomware” is back.

This week’s biggest story is the massive data leak from the Conti ransomware operation, including over 160,000 internal messages between members and source code for the ransomware and TrickBot operation.

From the cyberdefense front

• ZdNet reports “The US Cybersecurity and Infrastructure Security Agency (CISA) just added a whopping 95 new bugs to its catalogue of known exploited vulnerabilities, including multiple critical Cisco router flaws, Windows flaws new and old, and bugs in Adobe Flash Player, and more. “CISA has added 95 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise,” the agency said.”

• CNBC reports on why companies are moving to the zero trust model of cybersecurity.

• ISACA describes a five layer view of data center systems security.

• Health IT Security tells us

Proper employee cyber hygiene is crucial to maintaining healthcare cybersecurity, a new report conducted by the Center for Generational Kinetics (CGK) and commissioned by Mobile Mentor suggested.

A survey of 1,500 employees across four highly regulated industries—finance, education, government, and healthcare— found that poor password hygiene and new employee onboarding left organizations vulnerable to cyber risks.

More than a third of respondents admitted to finding ways to work around their organization’s security policies, and 72 percent of respondents reported valuing their personal privacy over company security.

The HHS Cybersecurity Program offers us timely “CISA Insights: Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure.”

Health IT Security adds “The American Hospital Association (AHA) urged hospitals and health systems to remain vigilant against healthcare cyberattacks amid Russia’s invasion of Ukraine” in a public advisory.

Cyberscoop provides the following example.

An infamous ransomware group with potential ties to Russian intelligence and known for attacking health care providers and hundreds of other targets posted a warning Friday saying it was “officially announcing a full support of Russian government.”

The gang said that it would use “all possible resources to strike back at the critical infrastructures” of any entity that organizes a cyberattack “or any war activities against Russia.” The message appeared Friday on the dark-web site used by ransomware group Conti to post threats and its victims’ data. Security researchers believe the gang to be Russia-based.

Conti ransomware was part of more than 400 attacks against mostly U.S. targets between spring 2020 and spring 2021, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the FBI reported in September.

From the FEHB front, FedScoop reports

The Office of Personnel Management has named James Saunders as chief information security officer.

He starts work in the new role Feb. 28 after joining the agency last year as a senior adviser for cloud and cybersecurity.

Previously, Saunders held the post of CISO at the Small Business Administration and moved to OPM in April 2021. One federal IT source speaking to this publication said that Saunders has already been acting as an “unofficial CISO” since joining the agency.

Good luck, Mr. Saunders.

From the good old Log4j front, Security Magazine reports

Security professionals around the globe continue to mitigate the effects of the Log4j vulnerability, which was discovered in December 2021. 

Cybersecurity nonprofit (ISC)² published the results of an online poll examining the Log4j vulnerability and the human impact of the efforts to remediate it. The poll surveyed 269 cybersecurity professionals, revealing the severity and long-term consequences of the Log4j attack for both security teams and the organizations they protect.

Key findings from the poll include:

— Nearly half (48%) of cybersecurity teams gave up holiday time and weekends to assist with Log4j remediation

— Fifty-two percent of respondents said their team collectively spent weeks or more than a month remediating Log4j

— Nearly two-thirds (64%) of cybersecurity professionals believe their peers are taking the zero-day exploit seriously

— Twenty-three percent noted that they are now behind on 2022 security priorities as a result of the change in focus

— More than one in four (27%) professionals believe their organization was less secure while remediating the vulnerability

“The main takeaway from the Log4j crisis and this data is that dedicated cybersecurity professionals are spread thin and need more support to effectively remediate zero-day exploits while still maintaining overall security operations,” said Clar Rosso, CEO of (ISC)

Regrettably, Bleeping Computer’s The Week in Ransomware was not published this week.

From the cyberthreats front, ABC News reports

A top Justice Department official issued a stark warning Thursday [February 17] to companies in the U.S. and abroad, calling on them to immediately shore up their cybersecurity defenses amid a potential Russian invasion of Ukraine.

“Given the very high tensions that we are experiencing, companies of any size and of all sizes would be foolish not to be preparing right now as we speak — to increase their defenses, to do things like patching, to heighten their alert systems, to be monitoring in real-time their cybersecurity,” deputy attorney general Lisa Monaco said in remarks at the Munich Cybersecurity Conference. “They need to be as we say, ‘shields up’ and to be really on the most heightened level of alert that they can be and taking all necessary precautions.”

Here is a link to CISA website with advice on how to place your Shields up.

Last Tuesday February 15, the FEHBlog ran across the following government announcement:

The Federal Bureau of Investigation (FBI) and the United States Secret Service (USSS) have released a joint Cybersecurity Advisory (CSA) identifying indicators of compromise associated with BlackByte ransomware. BlackByte is a Ransomware-as-a-Service group that encrypts files on compromised Windows host systems, including physical and virtual servers.

CISA encourages organizations to review the joint FBI-USSS CSA and apply the recommended mitigations.

What’s more, here is our link to Bleeping Computer’s The Week in Ransomware:

The big news this week is that the Conti ransomware gang has recruited the core developers and managers of the TrickBot group, the developers of the notorious TrickBot malware.

This recruitment drive now allows the Conti ransomware gang to focus on developing further stealthy malware, such as BazarBackdoor, while letting the TrickBot malware slowly wane away due to its easy detection by antivirus software.

With this “merger,” Conti has evolved into an actual cybercrime syndicate with different groups focusing on developing malware for each leg of a ransomware attack, ranging from initial access to encrypting.

From the cyber protection front –

• Health IT Security offers a useful review of the HIPAA Security Rule’s technical safeguard provisions.

• Bleeping Computer informs us about CISA’s list of free cybersecurity tools and services.

• The FEHBlog also ran across a comprehensive HHS HC3 PowerPoint presentation on protecting electronic health records.

Today is the 113th anniversary of the birth of President Abraham Lincoln who, in the FEHBlog’s opinion, is the best President our Nation ever had.

From the federal legislative and regulatory proposals front —

Nextgov tells us

[On February 8, 2022] Leaders of the Homeland Security and Governmental Affairs Committee introduced the Strengthening American Cybersecurity Act bundling provisions they view as crucial in the wake of vulnerabilities like one found in open-source software library log4j, but couldn’t get over the finish line in previous attempts.

“This landmark, bipartisan legislative package will provide our lead cybersecurity agency, [the Cybersecurity and Infrastructure Security Agency], with the information and tools needed to warn of potential cybersecurity threats to critical infrastructure, prepare for widespread impacts, coordinate the government’s efforts, and help victims respond to and recover from online breaches,” Committee Chairman Gary Peters, D-Mich., said in a press release Tuesday. “Our efforts will significantly bolster and modernize federal cybersecurity as new, serious software vulnerabilities continue to be discovered, such as the one in log4j. This combined bill will also ensure that agencies can procure cloud-based technology quickly, while ensuring these systems, and the information they store, are secure.” 

Health IT Security adds that also last week, “US Senators Tammy Baldwin (D-WI) and Bill Cassidy (R-LA) introduced the Health Data Use and Privacy Commission Act intending to modernize health data privacy laws to reflect the current tech landscape. * * * If passed, the act would establish a commission to review existing health data protections and assess current practices for health data use. The commission, whose members would be appointed by the Comptroller General, would also submit a report to Congress and the President six months after formation with recommendations on modernizing health data privacy.”

Evidently, in furtherance of this legislative proposal, AHIP announced  its “core guiding priorities and a detailed roadmap to further protect the privacy, confidentiality, and cybersecurity of consumer health information.”

Reginfo.gov tells us that the Office of Management and Budgets’ Office of Information and Regulatory Affairs has received for its review the following: “HIPAA Rules: Request for Information on Sharing Civil Money Penalties or Monetary Settlements With Harmed Individuals, and Recognized Security Practices Under HITECH.” As the HITECH Act of 2009 asked the Department of Health and Human Services to issue such a rule, this RFI falls into the better late than never category.

From the Apache Log4j vulnerability front, Cybersecurity Dive reports

Apache Software Foundation President David Nalley on Tuesday told the Senate Homeland Security & Government Affairs Committee it could take months, or even years, to fully eliminate the Log4j vulnerability. 

Every stakeholder in the software industry, especially the federal government and major customers, should be investing in supply chain security, Nalley said. He endorsed efforts like the software bill of materials (SBOM), but said the legislation won’t prevent vulnerabilities, only uncover them more quickly. 

Sen. Alex Padilla, D-Calif., raised questions over whether there is a “free rider” problem where large companies benefit from open source contributors, while providing very little compensation in return.

Another Cybersecurity Dive article explains

Security flaws in free and open-source software (FOSS) will be a recurring source of cyber risk, Moody’s Investors Service found. It could take organizations three to five years to fully resolve issues related to the Log4j vulnerability.

Certain industries vary in their ability to respond to vulnerabilities, according to 2021 data from BitSight, a Moody’s partner on cyber issues. The telecommunications industry trails other sectors, remediating only 29% of critical vulnerabilities within 90 days. The legal industry, with the quickest response time, remediated 68% of critical vulnerabilities in the same time frame.

The use of FOSS can save organizations considerable time and funding. But issues remain about the lack of financial support and, due to the voluntary participation of many contributors, developers experience high levels of burnout. * * *

While open source helps organizations save considerable time and effort on development, security concerns must be accounted for, said Sandy Carielli, a principal analyst at Forrester.

“However, the mistake is to assume that you can grab an open source library and then never look at it or update it again,” Carielli said via email. “Organizations need to get better about managing their open source — understanding where it is used and automating updates so that when something like Log4j happens, it’s a blip on the radar and can be remediated with practiced upgrade procedures.”

The Moody’s report follows a January report from Fitch warning about the increased cyber risk of Log4j to public finance entities, including local governments, small utilities and critical infrastructure providers. 

From the cybersecurity business front, Cyberscoop informs us

Sustained demand for cybersecurity services and continued innovation across the industry helped 2021 become a record-setting year for deals involving cyber companies, analysts say.

The funding that flowed into cyber companies increased 136% over 2020 levels, to $29.3 billion, up from $12.4 billion the previous year, according to a report published Wednesday by Momentum Cyber, which advises cyber companies on mergers and acquisitions.

Likewise, the total volume of mergers and acquisitions activity reached $77.5 billion, up 294% from calendar year 2020, according to the report.

Several trends are driving those numbers, analysts and executives say: Companies across the economy have expanded their budgets for reliable cybersecurity services, boosting revenues for the industry. In turn, big investors — including private equity groups and venture capitalists — are following that money. And as cyberthreats increase in severity and complexity, smaller firms continue to develop valuable expertise in niche areas of information security.

From the government alert front, the HHS Cybersecurity Program issued an alert last week captioned “Indicators of Compromise Associated with LockBit 2.0 Ransomware and Additional Mitigations.”

Also,

“The Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) issued a joint Cybersecurity Advisory outlining the growing international threat posed by ransomware over the past year.  

“The advisory titled “2021 Trends Show Increased Globalized Threat of Ransomware” outlines top trends seen across three nations including:

• Cybercriminals are increasingly gaining access to networks via phishing, stolen Remote Desktop Protocols (RDP) credentials or brute force, and exploiting software vulnerabilities.
• The market for ransomware became increasingly “professional” and there has been an increase in cybercriminal services-for-hire.
• More and more, ransomware groups are sharing victim information with each other, including access to victims’ networks.
• Cybercriminal are diversifying their approaches extorting money.
• Ransomware groups are having an increasing impact thanks to approaches targeting the cloud, managed service providers, industrial processes and the software supply chain.
• Ransomware groups are increasingly targeting organizations on holidays and weekends.

“Importantly, today’s Cybersecurity Advisory also lays out mitigations to help network defenders reduce their risk of compromise, appropriate responses to ransomware attacks, and key resources from each respective cyber agency.”

Here is a link to that advisory and, of course, a link to Bleeping Computer’s The Week in Ransomware.

Happy Super Bowl weekend.

Cyberscoop tells us

The Homeland Security Department is establishing a Cyber Safety Review Board that will convene after major cyber events to review and act on them, according to a Federal Register notice.

The notice brings to fruition an idea long circulated among cybersecurity policymakers and thinkers, one set in motion by an executive order President Joe Biden signed in May 2021. The idea is to mimic the National Transportation Safety Board that reviews civil aviation accidents.

The board (CSRB) will have no more than 20 members, with one each required from DHS, its Cybersecurity and Infrastructure Security Agency, the Department of Justice, the National Security Agency and the FBI. The DHS undersecretary for strategy, policy and plans — a post held by Rob Silvers — will serve as the inaugural two-year chair.

It will kick into effect when an incident prompts formation of a Cyber Unified Coordination Group, a National Security Council-established organization for unifying government response to cyber incidents such as those that hit critical infrastructure owners and operators. The 2020 SolarWinds breach, which caused the compromise of both federal agencies and major tech companies, led to a public announcement of a coordination group forming.

From the breach and vulnerability front —

Health IT Security reports

Cyberattacks targeted at health plans and third-party business associates increased last year, while attacks against healthcare providers dipped slightly, a report by Critical Insight discovered.

Researchers analyzed 2021 data from the Office for Civil Rights (OCR) data breach portal and compared it to years past. The report revealed that health plan cyberattacks increased by 35 percent from 2020 to 2021, and attacks against third-party business associates increased by 18 percent.

Interestingly, cyberattacks aimed at healthcare providers declined by approximately 4 percent. Although the decrease is not extreme, it shows that cybercriminals are adapting their tactics and targets as organizations continue to implement safeguards against common exploitation techniques.

and

Threat actors continually leverage unpatched vulnerabilities as their primary ransomware attack vector, a new report by Ivanti in partnership with Cyware and Cyber Security Works found. Researchers discovered 65 new vulnerabilities connected to ransomware in 2021, which signified a 29 percent growth compared to 2020.

Over a third of the 65 newly discovered vulnerabilities were being actively searched for on the internet, further stressing the need to prioritize patching.

More specifically, Bleeping Computer informs us in a report posted yesterday

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch their systems against an actively exploited Windows vulnerability that enables attackers to gain SYSTEM privileges.

Per a binding operational directive (BOD 22-01) issued in November and today’s announcement, all Federal Civilian Executive Branch Agencies (FCEB) agencies are now required to patch all systems against this vulnerability, tracked as CVE-2022-21882 within two weeks, until February 18th.

While BOD 22-01 only applies to FCEB agencies, CISA strongly urges all private and public sector organizations to reduce their exposure to ongoing cyberattacks by adopting this Directive and prioritizing mitigation of vulnerabilities included in its catalog of actively exploited security flaws.

Cybersecurity Dive discusses four cyberthreat trends to watch this year.

If there is one predictable constant in cybersecurity, it’s the omnipresence of ransomware. As Mandiant put it best, “There’s no end in sight for ransomware.”

But don’t expect ransomware to continue as we kow it today. Mandiant predicts threat actors will develop new ways to gain a profit from ransomware, starting with a shift to globalized attacks. * * *

The common thread around these trends is cybercriminals finding a way to manipulate corporate data, and for that problem, there really is no end in sight. 

Of course this quote naturally leads the FEHBlog to offer a link to the Bleeping Computer’s The Week in Ransomware.

From the cyberdefense front

• Healthcare Dives discusses three tactics shaping ransomware mitigation this year.

• A Wall Street Journal commentator who is the Cato Network‘s CEO explains

Just as Software as a Service revolutionized the internet by letting everyone access applications online rather than buying, installing and managing expensive software, [Cato Network offers] a new [cybersecurity] model, Secure Access Service Edge, promises to do the same thing for network security. To understand roughly what it does, look at your iPhone, which is a telephone, a computer, a high-resolution camera and a global positioning device all in one machine. Secure Access Service Edge will do something similar for network access and security, allowing businesses of all sizes, including small and medium-size ones, network access and security without a host of costly components.

Cool.

To set the stage, last Tuesday, “ECRI, an independent, nonprofit organization that provides technology solutions and evidence-based guidance to healthcare decision-makers worldwide, lists cybersecurity attacks as the top health technology hazard for 2022 in its just-released annual report.”

What’s more, HC3 issued its Fourth Quarter 2021 Healthcare Cybersecurity Bulletin.

Getting down to business, HC3 also released a useful PowerPoint presentation with background and remediation / prevention tips for the Log4j vulnerability.

From the irony department, ZDNet reported yesterday that

Microsoft researchers have discovered a previously undisclosed vulnerability in the SolarWinds Serv-U software while monitoring threats related to Log4J vulnerabilities. 

Jonathan Bar Or explained on Twitter that while he was hunting for a Log4J exploit attempt, he noticed attacks coming from serv-u.exe. 

“Taking a closer looked revealed you could feed Ssrv-U with data and it’ll build a LDAP query with your unsanitized input! This could be used for log4j attack attempts, but also for LDAP injection,” he wrote. 

“Solarwinds immediately responded, investigated and fixed the #vulnerability. Their response is the quickest I’ve seen, really amazing work on their part!”

On a broader scale, ZDnet also reports that

The US government has urged organizations to shore up defenses “now” in response to website defacements and destructive malware targeting Ukraine government websites and IT systems. 

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a new ‘CISA Insights‘ document aimed at all US organizations, not just critical infrastructure operators. The checklist of actions is CISA’s response to this week’s cyberattacks on Ukraine’s systems and websites, which the country’s officials have blamed on hackers linked to Russian intelligence services.

From the latest vulnerabilities front, Cyberscoop informs us that

QR codes are among the few “winners” of the coronavirus pandemic, the joke goes, because restaurants and other businesses have deployed them in far greater numbers over the past few years, in an effort to make more interactions contactless.

The FBI is warning, however, that scammers love them, too.

The bureau’s Internet Crime Complaint Center (IC3), issued a general alert Tuesday about “malicious” QR codes that reroute unsuspecting consumers to the world of cybercrime.

“[C]ybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use,” the announcement says.

Last but never least, here is a link to Bleeping Computer’s The Week in Ransomware.

The headline news of the week is brought to us by the Wall Street Journal

The Russian government on Friday [January 14] said it had arrested members of the prolific criminal ransomware group known as REvil that has been blamed for major attacks against U.S. business and critical infrastructure, disrupting its operations at the request of U.S. authorities.

Russia’s security service, the FSB, said in an online press release that it had halted REvil’s “illegal activities” and seized funds belonging to the group from more than two dozen residences in Moscow, St. Petersburg and elsewhere. REvil members were arrested in relation to money-laundering charges, the FSB said. It didn’t provide names of any of the suspects.

The arrests included “the individual responsible for the attack on Colonial Pipeline last spring,” a particularly devastating ransomware offensive that led to the main conduit of fuel on the U.S. East Coast being shut down for days, a senior Biden administration official said. A different Russian ransomware gang had previously been linked to the Colonial hack, but security experts and officials have said they are not neatly defined and that individual hackers often overlap.

“We welcome reports the Kremlin is taking law enforcement steps to address ransomware within its borders,” the official said.

Needless to say this development also is the focus of Bleeping Computer’s The Week in Ransomware.

From the log4j front, Healthcare Dive tells us that

— Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said the agency has not yet seen the Log4j vulnerability used for significant intrusions but cautioned that sophisticated threat actors may be lying in wait for cybersecurity defenders to be caught off guard during a lower level of awareness.

— Threat actors have used the vulnerability to install and sell cryptomining software on victims’ computers and to potentially launch future botnet attacks. CISA cannot independently confirm research showing nation-state threat actors developing attacks based on Log4Shell, Easterly said during a presser Monday. 

— Microsoft security researchers identified a China-based threat actor, tracked as DEV-0401, exploiting the Log4j vulnerability in systems using VMware Horizon to deploy NightSky ransomware, researchers said in an updated blog.

Federal News Network interviewed about this infamous yulnerability. Gordon Bitko, former FBI chief information officer, now the senior vice president of policy at the Information Technology Industry Council.

Gordon Bitko: Tom, where there’s a difference from SolarWinds. Log4j wasn’t a coordinated — as far as we know — attack by an adversary. It was a vulnerability that was identified, and so the people who are exploiting it now seem more like cybercriminals who were using it as a way to implant ransomware, things of that nature.

Tom Temin: Alright, so you can never rest on your laurels.

Gordon Bitko: That is 100% the case. It is important for everybody doing cybersecurity and their management to understand it’s a race on a treadmill. You can never stop.

Last Wednesday Cyberscoop reported that

Tech giants and federal agencies will meet at the White House on Thursday to discuss open-source software security, a response to the widespread Log4j vulnerability that’s worrying industry and cyber leaders.

Among the attendees are companies like Apple, Facebook and Google, as well as the Apache Software Foundation, which builds Log4j, a ubiquitous open-source logging framework for websites.

“Building on the Log4j incident, the objective of this meeting is to facilitate an important discussion to improve the security of open source software — and to brainstorm how new collaboration could rapidly drive improvements,” a senior administration official said in advance of the meeting.

Here’s the White House readout from that meeting. According to that document, the discussion focused on three topics:

Preventing security defects and vulnerabilities in code and open source packages, improving the process for finding defects and fixing them, and shortening the response time for distributing and implementing fixes. In the first category, participants discussed ideas to make it easier for developers to write secure code by integrating security features into development tools and securing the infrastructure used to build, warehouse and distribute code, like using techniques such as code signing and stronger digital identities.

In the second category, participants discussed how to prioritize the most important open source projects and put in place sustainable mechanisms to maintain them.

In the final category, participants discussed ways to accelerate and improve the use of Software Bills of Material, as required in the President’s Executive Order, to make it easier to know what is in the software we purchase and use. 

For a government meeting open to you, dear readers:

The Cybersecurity and Infrastructure Security Agency (CISA) is holding virtual mini-Industry Day events throughout this year. These events will allow CISA and industry to have meaningful discussions about cybersecurity capabilities, challenges, top priorities, requirements, and technologies as well as future business opportunities.

The first Virtual Mini-Industry Day will be Wednesday, January 26, at 10 a.m. (EST). This event will provide insight into current and future challenges as well as provide presentations regarding IT  FY22 information technology focus areas, FY23-25 foundational work, engineering, information assurance, information technology operations, and records management/governance. To attend, please register by Tuesday, January 18, at 5 pm ET

Finally ZDnet offers its recommendations on

• VPNs

• Password Managers, and

• Security Keys