Health IT Security reports

As a new year begins, threat actors are continuing to overwhelm providers and patients with healthcare data breaches. Some experts predict that ransomware actors will favor data exfiltration over encryption this year and that they will shift their focus to APIs and other attack vectors in order to throw off victims.

Florida-based health system Broward Health recently suffered a protected health information (PHI) breach that impacted 1.3 million individuals. Meanwhile, other healthcare organizations are still recovering from a ransomware attack on HR management solutions vendor Kronos.

Many healthcare organizations are also focused on mitigating threats associated with the recently discovered Apache Log4j vulnerability, which could have catastrophic security implications for multiple sectors if exploited.

HHS urged healthcare organizations to implement the Log4j patch and ramp up incident response functions. Healthcare organizations should also remain wary of ransomware, phishing, and other prominent cyber threats that continue to impact organizations across all sectors.

The more things change, etc.

Cyberscoop adds that

The Federal Trade Commission Tuesday warned companies that if they fail to take action to remedy a major recent software vulnerability in open-source software tool Log4j, there could be legal repercussions.

“When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms,” the agency warned. “It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”

Log4j is ubiquitous in software used throughout the technology industry, and is found in products built by companies including Amazon, Google and Microsoft. The widespread use of such technology has made it difficult to identify potential victims. At the same time, the popularity has made it an easy target for a range of cybercriminals to exploit.

Cybersecurity Dive concludes

As U.S. industries and government agencies restart operations after the winter holiday break, security researchers are warning the impacts of the Log4j vulnerability will continue to leave organizations open to potential threats in the coming weeks and months. 

“Exploitation attempts and scanning remained high during the last weeks of December,” Microsoft said in an updated blog post. Attackers have added exploits to existing malware kits and tactics, ranging from coin miners to hands-on-keyboard attacks. 

The Apache Software Foundation released version 2.17.1 of Log4j last week, the latest in a series of updates since the vulnerability was disclosed in December. The newly released fix addresses the risk of remote code execution when an attacker with certain permissions can create a malicious configuration using a JDBC Appender, according to Apache. 

And it wouldn’t be a Cybersecurity Saturday post without offering a link to Bleeping Computer’s The Week in Ransomware.

Happy New Year.

Due to the holidays, there has been a two week long break in the FEHBlog’s cybersecurity posts. The December 18 post focused on the Java Log4j vulnerability which is still causing cybersecurity problems according to this Cyberscoop article:

A Chinese hacking group known for industrial espionage and intelligence collection used a vulnerability in Log4j to go after a large academic institution, researchers at CrowdStrike revealed Wednesday.

Tech Republic reports on how to check for Log4j vulnerabilities using a “simple to use script.” The article walks the reader through a sample scan. HC3 also released an alert calling attention to the availability of this vulnerability scanner.

This Health IT Security article adds that “The HHS 405(d) Task Group issued a brief outlining the risks associated with the recently discovered Apache Log4j vulnerability that could have catastrophic security implications for healthcare and other sectors.” Bleeping Computer offers a detailed situation report on the Log4j vulnerability.

Speaking of catastrophes, Bleeping Computer looks back at the ten largest healthcare protected health information breaches in 2021 and Tech Republic identifies the ten worst password snafus this year. Tech Republic adds

How can you make sure your employees follow strong password security guidelines to protect your organization’s sensitive data? Dashlane offers the following tips:

— Establish a culture of security. Employees need to understand what part they play in securing your company’s data. They must be involved in discussions about security. And they should have the tools required to follow strong password and security hygiene.

— Train employees. Show employees how to spot and report possible security risks and threats. You may want to create a special email or contact they can use to report an incident.

— Implement the right technology. This means using such tools as email security, endpoint protection and password managers.

— Track the results of your security tools. Find ways to measure the effectiveness of your security defenses. For example, some password managers have a health feature that analyzes and rates the strength of your passwords.

Also, Health IT Security offers expert cybersecurity predictions for 2022. For example,

By December 31, 2022, healthcare organizations will be required to migrate to Fast Healthcare Interoperability Resources (FHIR) APIs in order to enable seamless data sharing. As organizations adjust and implement the new data standards, it is likely that threat actors will use APIs as a network entry point.

“As interoperability becomes more of a mainstream priority for healthcare organizations and we see more APIs that are being introduced between critical systems, I think we’re going to see a rise in the number of attacks that are focused on compromising those APIs,” Mac McMillan, CEO of CynergisTek, predicted in an interview with HealthITSecurity.

“It’s another area where don’t typically have a good, consistent approach across the board in healthcare with respect to testing APIs for security.”

Roughly a year after we experienced Solar Winds, we have the Apache Log4j flaw. ZDnet tells us that “A flaw in Log4j, a Java library for logging error messages in applications, is the most high-profile security vulnerability on the internet right now and comes with a severity score of 10 out of 10.” Here is link to ZDnet’s FAQ on the the Log4j flaw and the patches available.

ZDnet adds

If there ever was any doubt over the severity of the Log4j vulnerability, director of US cybersecurity and infrastructure agency CISA, Jen Easterly, immediately quashed those doubts when she described it as “one of the most serious that I’ve seen in my entire career, if not the most serious”.

Not surprisingly therefore, Federal News Network reports that

The Cybersecurity and Infrastructure Security Agency issued an emergency directive today [December 17] requiring civilian executive branch agencies to determine all Internet-facing assets with the critical “Log4j” vulnerability and either patch or mitigate any vulnerable software within a week.

By Dec. 23 at 5 p.m., agencies are directed to “enumerate all solutions stacks accepting data from the internet” and then check whether any of them have the Log4j vulnerability using a CISA-managed Github repository available on the agency’s website, according to the new directive.

By the same deadline, agencies are given three options for how to address any vulnerable software: “immediately” update assets where patches are available; mitigate the risk of exploitation using another mitigation measure listed on CISA’s website; or remove the affected asset from their networks.

Bleeping Computer’s The Week in Ransomware focuses its attention on cybercriminal exploitation of this flaw.

Health IT Security adds

At least 39 ransomware groups have attacked the healthcare sector across 27 countries in the past 18 months, data from the CyberPeace Institute’s Cyber Incident Tracer revealed. Despite explicitly saying that they would not target healthcare, 12 groups singled out the sector.

Some healthcare organizations may simply be collateral damage, an accompanying blog post explained. Some ransomware operators used vague terms like “medical organizations” when describing which entities were off limits. Others saw pharmaceutical companies as fair game. Half of the 12 ransomware operators targeted hospitals specifically, despite saying that they would not target healthcare. * * *

Other groups target healthcare by choice. The FIN12 affiliate group has a reputation for going after healthcare organizations. Threat intelligence firm Mandiant discovered that nearly 20 percent of the group’s attacks were targeted at healthcare entities, and over 70 percent were aimed at US-based entities.

Sometimes, healthcare organizations may be targeted out of indifference. Usually, this means that the healthcare organizations fell victim to “spray and pray” tactics, where ransomware operators will execute phishing campaigns or Remote Desktop Protocol (RDP) brute force attacks with the hopes of getting some organizations to fall for the attack.

The Wall Street Journal aptly describes 2021 as “the year that hackers went wild and changed everything.”

The U.S. government in 2021 began to take a more decisive—and prescriptive—role in how digital defenses are constructed, on the back of a string of high-profile cyberattacks against the nation’s critical infrastructure.

Jingle Bells.

From Capitol Hill, per Nextgov, “the House [of Representatives] on Tuesday passed the NDAA conference report—language House and Senate Armed Services Committee leaders agree on that reconciles versions of the bill from each chamber. The next step is a vote on the conference report by the Senate.  (H.R. 4350).

Nextgov adds

“There were intensive efforts to get cyber incident reporting done but ultimately the clock ran out on getting it in the NDAA,” House Homeland Security Committee Chairman Bennie Thompson, D-Miss and Rep. Yvette D. Clarke, D-NY, who chairs the committee’s panel on cybersecurity, said in a joint statement Tuesday.

The annual Defense Authorization Act still “initiates the widest empowerment and expansion of CISA through legislation since the SolarWinds incident,” according to a summary of the bill released by the House Armed Services Committee Tuesday

The bill gives CISA added responsibilities around identifying threats to industrial control systems, and removing cybersecurity vulnerabilities while establishing voluntary partnerships with industrial control system and internet ecosystem companies. 

From the government initiative front, Health IT Security reports that

HHS launched a new website for its 405(d) Program with the goal of aligning healthcare cybersecurity across the industry. Under the Cybersecurity Act of 2015, HHS established the 405(d) Aligning Health Care Industry Security Approaches Program and the 405(d) Task Group, which is comprised of more than 150 industry and government experts.

The program aims to uphold the motto that “cyber safety is patient safety,” and its website contained resources, videos, products, and tools to help raise awareness and promote cybersecurity best practices, the HHS announcement stated.

“Healthcare professionals understand the importance of hand washing when it comes to mitigating the spread of diseases. Similarly, we know that cybersecurity practices reduce the risk of cyber-attacks and data breaches,” the website maintained.

Also the HHS Cybersecurity Program issued a healthcare sector alert yesterday

A highly utilized application called Log4j contains a severe, known vulnerability that is being actively and aggressively attacked. Upon successful exploitation, a compromised system or device can be used to execute arbitrary code, which can serve as the beginning of a larger cyberattack potentially resulting in any number of effects including data exfiltration and ransomware. HC3 advises healthcare and public health organizations to survey their infrastructure and ensure they are not running vulnerable versions of Log4j. Any vulnerable systems should be upgraded, and a full investigation of the enterprise network should commence to identify possible exploitation if a vulnerable version is identified.

Report

Log4j is a very common Java library/framework that provides logging capabilities to any number of software platforms that it serves. In late November, a remote code execution (RCE) vulnerability (tracked as CVE-2021-44228) was identified in certain versions which are now being actively exploited in the wild. Proof of concept exploit code has been circulating social media for several days and is publicly posted on well-known code repositories. The Log4j software is maintained by Apache and they have released an update which should be deployed (after testing, as needed) across all vulnerable devices in the enterprise in a timely manner.

From the interviews department

• Tech Republic interviews Walgreens Boots Alliance CTO Mike Maresca “about what keeps him up at night and why building internal and external partnerships is key for digital transformation success.”

• The Wall Street Journal interviews Kathy Hughes, the CISO for Northwell Health, a hospital / healthcare system in New York City and Long Island, and Joey Johnson, the CISO for Premise Health, which offers health and wellness services to employers, among others. This tidbit from the interview grabbed the FEHBlog’s attention:

WSJ: Can you briefly explain a couple of technologies that you had to deploy?

MS. HUGHES: The most significant one was, because we had seen such an uptick in phishing emails, we deployed a technology that actually does a live scan of a URL when it’s clicked within an email. The technology that we had before, if a URL had been accessed that was previously determined and rated to be malicious, it would be blocked. But this enabled us to do that in real time

Cool.

From the hacking front, Cyberscoop reports

Hackers associated with the SolarWinds supply chain compromise have been busy in the year since that attack was revealed, compromising multiple cloud solution companies with the goal of stealing data relevant to Russian interests and finding routes to additional victims, new research reveals.

Findings published Monday [December 6] by a team of analysts at Mandiant collate previous observations and analysis — along with the efforts of “hundreds of consultants, analysts and reverse engineers — to paint a picture of potentially distinct groups working alongside or within a more established Russian intelligence hacking group known as Nobelium, a name given to the group by Microsoft. The group is also known as Cozy Bear.

Last but never least, here is a link to Bleeping Computer’s The Week in Ransomware.

This week has quite a bit of ransomware news, including arrests, a new and sophisticated ransomware, and an attack bringing down 300 supermarkets in England.

This week’s biggest story is a law enforcement operation conducted by the FBI and Ontario Provincial Police (OPP) that arrested a Candian ransomware affiliate allegedly involved in hundreds of attacks.

We also learned about the new ALPHV (aka BlackCat) ransomware that appears to be one of the most sophisticated ransomware families we have seen this year.

Finally, this week’s largest known ransomware attack was on James Hall and Co, which affected point-of-sale systems and led to the temporary closing of over 300 Spar supermarkets in England. This week’s other known attack is on Nordic Choice Hotels by the Conti ransomware gang.

From the Capitol Hill front, Bank Info Security reviews the cybersecurity and breach notice measures found in the National Defense Authorization Act for the current government fiscal year. Defense One reports that the Senate at this point is not expected to pass its version of the bill until next month.

From the administrative front, Cyberscoop reports that

The Cybersecurity and Infrastructure Security Agency on Wednesday [December 1] named members to a new [Congressionally mandated] cyber advisory panel that will make recommendations on subjects ranging from battling misinformation to gaining aid from the hacker community on national cyber defense.

Among the 23 members selected are leaders from social media, cybersecurity companies, major technology firms and critical infrastructure sectors such as finance and energy. It includes officials from Johnson & Johnson and Walmart, as well as a longtime cybersecurity journalist and the mayor of Austin, Texas. * * *

Bylaws for the committee published in July said it would address subjects like critical infrastructure protection, information sharing, risk management and public-private partnerships. Wednesday’s announcement added potential subjects like the cyber workforce and disinformation. Its first meeting is Dec. 10.

Federal News Network informs us that

The Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security is putting the final touches on several guidance documents to help ease the transition to a zero trust cybersecurity environment.

The entire goal of this effort to move security away from the network and to the data and application layers.

John Simms, the deputy branch chief of the Cybersecurity Assurance Branch in CISA, said the documents and other efforts are helping agencies shift their cyber thinking away from the network and closer to the data.

Over the last three months, CISA, along with the Office of Management and Budget, rolled out the draft zero trust strategy, the draft cloud security technical reference architecture and the draft zero trust maturity model.

From the reports front

• On Thursday December 2, the Government Accountability Office issued a report in connection with GAO testimony before Congress “on the need for the federal government to develop and execute a comprehensive national cyber strategy, and to strengthen the role that it plays in protecting the cybersecurity of critical infrastructure. Ensuring the cybersecurity of the nation is on our High Risk List, and we have urged federal agencies to act on it.”

• The HHS Office of Information Security released a presentation on December 2 about the risks that the cybercriminal group FIN12 posts to the healthcare sector.

• Health IT Security reports about new Healthcare ISAC guidance to help CISOs navigate interoperability, patient access, and identity-centric data sharing under the 21st Century Cures Act. New interoperability mandates under the Cures Act require healthcare organizations to implement APIs to promote the digitization of electronic health information (EHI). “While APIs are the ‘door’ to enabling interoperability of EHR between healthcare organizations, strong identity solutions are the ‘key’ that keeps EHI secure,” the guide explained. OPM is eager for FEHB plans to offer these APIs to their members.

Here is a link to Bleeping Computer’s The Week in Ransomware.

The biggest news over the past two weeks is the unsealing of a United States’ Complaint for Forfeiture detailing how the FBI seized 39.89138522 bitcoins from an Exodus wallet belonging to an REvil affiliate. Based on the email listed in the court document, it is believed that the affiliate is one known as ‘Lalartu.’

The FBI also disclosed that Cuba ransomware has attacked 49 US critical infrastructure orgs and received at least US $43.9 million in ransom payments.

ZD Net adds that

Cyber criminals are using online adverts for fake versions of popular software to trick users into downloading three forms of malware – including a malicious browser extension with the same capabilites as trojan malware – that provide attackers with usernames and passwords, as well as backdoor remote access to infected Windows PCs.  

The attacks, which distribute two forms of seemingly undocumented custom-developed malware, have been detailed by cybersecurity researchers at Cisco Talos who’ve named the campaign ‘magnat’. It appears the campaign has been operating in some capacity since 2018 and the malware has been in continuous development.  

Over half of the victims are in Canada, but there have also been victims around the world, including in the United States, Europe, Australia and Nigeria.

In closing, an expert in Security Week offers his four cybersecurity predictions for 2022.

The FEHBlog hopes that his readers enjoyed the 400th Thanksgiving holiday.

Congress will be in session for the next two weeks. Cyberscoop brings us up to date on the legislative effort to include a data breach and ransomware reporting provision in the must pass National Defense Authorization Act bill for the current federal fiscal year.

As we enter our country’s major holiday season, Tech Republic reports that “An alert issued Monday [November 22] by the Cybersecurity and Infrastructure Security Agency [CISA] and the FBI urged organizations to be on guard for ransomware attacks that take advantage of worker downtime during Thanksgiving [etc.].”

In the alert, CISA stressed that neither it nor the FBI have identified any specific threats that might occur on or around Thanksgiving. But with or without advanced warning, organizations need to be prepared for attacks designed to take advantage of the holiday.

ISACA offers an expert column on using zero trust and XDR to stop ransomware. The FEHBlog has linked to several columns on zero trust but he had not heard of XDR. It turns out that

XDR brings together information about possible attack elements (e.g., indicators of compromise [IoCs]) with logs of network traffic, quirky endpoint behavior, cloud and Software-as a-Service (SaaS) service requests, and server events for analysis. The power of XDR is that it goes beyond security information and event management (SIEM) which aggregates log data to include correlation, analysis and machine learning (ML)-augmented modelling. This forms the basis for an effective response.

By deploying an XDR solution (which can detect many attack elements) with a zero trust-enabled architecture (which hardens infrastructure against malicious attacks), one can substantially improve survivability against ransomware. So, deploy an IAM tool. Use multifactor authentication (MFA), at least for high-privilege accounts. Segment the network. And put an XDR tool in place for the security operations center (SOC). You will have a much calmer, more predictable, less eventful day-to-day work experience.

Because Bleeping Computer’s The Week in Ramsomware was not published Thanksgiving week, here is a Health IT Security overview of cybersecurity issues affecting the healthcare sector.

From Capitol Hill, the Hill informs us that

The Senate is eyeing the annual defense bill as a vehicle to attach critical provisions to improve the nation’s cybersecurity following a devastating year in which major attacks left the government flat-footed.  

The [bipartisan] amendment [to the National Defense Authorization Act] would give critical infrastructure groups, nonprofit organizations, state and local governments, and certain businesses 24 hours to report ransomware attack payments. It also includes language to update the Federal Information Security Modernization Act (FISMA) to clarify the roles of key agencies in responding to cyber incidents, another key bipartisan priority. 

“It’s got broad bipartisan support, and we are hoping to get it in this package,” Peters told The Hill Wednesday. “Of course, we’ve got negotiations and then the House, and we’ve been working with our House counterparts too.”

The House already approved its version of the 2022 NDAA in September, including a raft of measures in the defense package intended to strengthen the nation’s cybersecurity.

Cyberscoop provides more breach notice news

Banks must report major cybersecurity incidents to federal officials within 36 hours under a rule that U.S. financial regulators finalized on Thursday.

Beginning in May 2022, financial executives will need to be more forthcoming about computer system failures and interruptions, such as ransomware or denial-of-service attacks that have the potential to disrupt customers’ ability to access their accounts, or impact the larger financial system. * * *

The final approval comes as Congress weighs broader reporting rules for critical infrastructure owners and operators, and as the Transportation Security Administration has begun imposing reporting requirements on leading pipeline, rail and air transport companies.

The 36-hour timeline for banks falls between the leading proposals on Capitol Hill at around 72 hours, and the TSA rules at 12 hours.

OPM allows FEHB carriers a 24 hour period to notify the agency about a breach or security incident.

On the advanced persistent threat front, Health IT Security reports that

US cyber officials along with allies from Australia and the UK issued an advisory warning the healthcare and transportation sectors about an Iranian government-sponsored advanced persistent threat (APT) group that has been exploiting Microsoft Exchange ProxyShell and Fortinet vulnerabilities. * * *

The FBI, CISA, ACSC, and NCSC recommend that organizations using Microsoft Exchange or Fortinet stay cautious and look for the following signs of suspicious activity:

— Search for IOCs. Collect known-bad IOCs and search for them in network and host artifacts. 

— Investigate exposed Microsoft Exchange servers (both patched and unpatched) for compromise. 

— Investigate changes to Remote Desktop Protocol (RDP), firewall, and Windows Remote Management (WinRM) configurations that may allow attackers to maintain persistent access. 

— Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.

— Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating-system defined or recognized scheduled tasks for unrecognized “actions” (for example, review the steps each scheduled task is expected to perform).

Review antivirus logs for indications they were unexpectedly turned off.

Look for WinRAR and FileZilla in unexpected locations. 

To mitigate risk, the FBI, CISA, NCSC, and ACSC urged organizations to patch and update operating systems, evaluate and update blocklists and allowlists, and implement backup and restoration policies. In addition, organizations should implement network segmentation, work to secure all user accounts, implement multi-factor authentication, secure remote access, and use strong passwords.

For more information, see CISA’s assessment and overview of the ongoing Iranian cyber threat. 

Also on the prevention front CISA announced that

The White House, via Executive Order (EO) 14028: Improving the Nation’s Cybersecurity, tasked CISA, as the operational lead for federal cybersecurity, to “develop a standard set of operational procedures (i.e., playbook) to be used in planning and conducting cybersecurity vulnerability and incident response activity” for federal civilian agency information systems. In response, today, CISA published the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. The playbooks provide federal civilian executive branch (FCEB) agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities. The playbooks provide illustrated decision trees and detail each step for both incident and vulnerability response.  
 
FCEB agencies should use the playbooks to shape their overall defensive cyber operations. The playbooks apply to information systems used or operated by an FCEB agency, a contractor of the agency, or another organization on behalf of the agency. CISA encourages agencies to review the playbooks and CISA’s webpage on EO 14028 for more information.  
 
Although CISA created the playbooks for FCEB agencies, we encourage critical infrastructure entities; state, local, territorial, and tribal government organizations; and private sector organizations to review them to benchmark their own vulnerability and incident response practices.

CISA also updated its known exploited vulnerabilities catalog.

And of course, here is a link that the Bleeping Computer’s The Week in Ransomware.

While last week was full of arrests and law enforcement actions, this week has been much quieter, with mostly new research released.

Security firms released reports on the types of cryptomixers used by ransomware gangs, a detailed report on Conti, and how Russian ransomware gangs are starting to work with Chinese hackers.

ZDnet adds that “Ransomware is now a giant black hole that is sucking in all other forms of cybercrime
File-encrypting malware is where the money is — and that’s changing the whole online crime ecosystem.”

Inside Cybersecurity provides useful legal perspectives on the Defense Department’s recent changes to its Cybersecurity Maturity Model Certification program for defense contractors.

The evolution of DOD’s Cybersecurity Maturity Model Certification program reflects a response to concerns from the defense industrial base, according to attorneys, who said recent major changes show the Pentagon is taking into account pre-existing mechanisms for contractor compliance with cyber standards and is considering how the program can be implemented effectively.

CMMC 2.0 consolidates DOD’s cyber certification effort into three levels and relies heavily on NIST publications 800-171 and 800-172. The extra 20 controls in level two (formerly level three) are removed from the new model along with maturity processes.

Attorneys surveyed by Inside Cybersecurity questioned whether the Pentagon’s decision to walk back the CMMC model to align with the 110 controls in NIST 800-171 for level two is an effective approach and where things stand with assessment organizations who have been preparing to conduct assessments since the first version of the maturity model debuted in early 2020.

Check it out.

In Security Week a cybersecurity consultant Torsten George reflects on the recent Cybersecurity Awareness Month.

Despite all the new technologies, strategies, and artificial intelligence being employed by security experts and threat actors alike, one thing remains constant: the human element. As humans we’re fallible — a fact that threat actors frequently exploit when launching phishing and social engineering campaigns to establish a foothold in their victim’s IT environment. Ultimately, hackers don’t hack in anymore—they log in using weak, default, stolen, or otherwise compromised credentials.

The reality is that many breaches can be prevented using some basic cyber hygiene tactics, coupled with a Zero Trust approach. Yet most organizations continue investing the largest percentage of their security budget on protecting their network perimeter rather than focusing on security controls which can actually effect positive change to protect against the leading attack vectors: credential abuse and endpoints serving as main access points to an enterprise network.

And as usual Bleeping Computer’s The Week in Ransomware is chock full of news:

This week, law enforcement struck a massive blow against the REvil ransomware operation, with multiple arrests announced and the seizure of cryptocurrency.

On Monday, the US Department of Justice, Europol, and Interpol announced arrests of REvil affiliates and members in Kuwait and Romania. The FBI also announced the arrest of the REvil affiliate behind the July Kaseya attack that encrypted over 1,500 organizations.

In addition, the US announced that $6 million in ransom payments was seized from the REvil ransomware operation.

This week, the other big news is a massive attack on the European electronics retailer MediaMarkt by the Hive Ransomware operation.

What’s more Krebs on Security reports that

The Federal Bureau of Investigation (FBI) confirmed today [November 13] that its fbi.gov domain name and Internet address were used to blast out thousands of fake emails about a cybercrime investigation. According to an interview with the person who claimed responsibility for the hoax, the spam messages were sent by abusing insecure code in an FBI online portal designed to share information with state and local law enforcement authorities.

From Capitol Hill, the House of Representatives passed the Senate’s bipartisan $1 trillion infrastructure bill on a bipartisan 228-to-206 vote. Data Center Knowledge discusses how the $2 billion in the bill targeted at cybersecurity will be spent. The key comment is “The Infrastructure Bill Is the Carrot — The Stick May Come Later.”

In this regard, ZDNet adds that

Four US Senators have introduced a new bipartisan amendment to the [must pass] 2022 National Defense Authorization Act (NDAA) that will force critical infrastructure owners and operators as well as civilian federal agencies to report all cyberattacks and ransomware payments to CISA.

Two Democrats — Gary Peters and Mark Warner — worked alongside two Republicans — Rob Portman and Susan Collins — to push the amendment, which they said was based on Peters and Portman’s Cyber Incident Reporting Act and Federal Information Security Modernization Act of 2021.

The amendment only covers confirmed cyberattacks and not ones that are suspected. But it forces all federal contractors to report attacks. There is no fine component in the amendment, one of the many provisions senators had been fighting over for months. 

Victim[ized] organizations will have 72 hours to report attacks, another hotly debated topic among government cybersecurity experts. Some wanted it to be within 24 hours and others said it should be within a week.  

But the 72 hour limit does not apply to all organizations. Some — which the senators said included businesses, nonprofits and state and local governments — would be forced to report ransomware payments to the federal government within 24 hours of payment being made. 

From the federal government technology front —

Cyberscoop reports that “A winning streak of hitting deadlines under President Joe Biden’s ambitious May cybersecurity executive order is widely expected to end Monday [November 8], affecting changes that administration officials have touted most: implementing multifactor authentication and encryption at all civilian federal agencies.”

Cyberscoop adds

The Cybersecurity and Infrastructure Security Agency [CISA] is ordering federal agencies to patch nearly 300 known, exploited vulnerabilities in a directive published Wednesday [November 3].

It’s a change from past practice for Binding Operational Directives from the Department of Homeland Security’s main cyber wing. The orders have focused more frequently on one major vulnerability at a time, or have directed agencies to set up broader policies addressing subjects like establishing vulnerability disclosure programs. As rationale, the agency pointed to issues in Microsoft Exchange technology that suspected Chinese hackers seized upon to target victims worldwide in early 2021.

Under the order, agencies must patch vulnerabilities from a CISA-created catalog by dates that range from two weeks for flaws observed this year to six months for those prior. Further, agencies must build a process for fixing such vulnerabilities on an ongoing basis in the future.

The Wall Street Journal explains

Many of the cybersecurity gaps outlined in a new White House directive that calls on federal agencies to patch hundreds of online vulnerabilities stem from the government’s aging computer systems, current and former federal tech chiefs, lawmakers and industry analysts say.

But ongoing efforts to upgrade these systems tend to get bogged down by budget restrictions, chronic talent shortages and a revolving door of agency information-technology leaders.

As a result, some of the vulnerabilities listed in the directive, issued by the Biden Administration Wednesday, date back years in older versions of software from Microsoft Corp. and other large technology firms. Agencies that haven’t continually upgraded these and other apps may lack protections needed to ward off the kinds of organized, sophisticated and widespread attacks that have crippled public- and private-sector systems in recent years.

Also Cyberscoop notes that

The Biden administration is working on an executive order that spells out the responsibilities of myriad top cybersecurity officials in the federal government, National Cyber Director Chris Inglis said Wednesday. Specifically, the idea would be to solidify the position of his office, only established by law in January, Inglis told the House Homeland Security Committee.

From the defense contractor front, Nextgov informs us that

The Defense Department is significantly scaling back a program it rolled out last year to validate the cybersecurity of its suppliers through third-party audits and is halting its implementation until the changes are official.

The program was supposed to be implemented over a five-year period with the ultimate goal of requiring every defense contractor in possession of certain controlled but unclassified information to obtain a certificate from a third-party assessor indicating their adherence to the Cybersecurity Maturity Model Certification standard. A number of programs within DOD were selected to pilot the program this year. Now, the Pentagon says it is looking to streamline the program—into CMMC 2.0—and make it more collaborative with industry in two new rulemakings through the Code of Federal Regulations.

“Until the CMMC 2.0 changes become effective through both the title 32 CFR and title 48 CFR rulemaking processes, the department will suspend the CMMC piloting efforts, and will not approve inclusion of a CMMC requirement in DoD solicitations,” reads a notice set to publish Friday in the Federal Register. “The CMMC 2.0 program requirements will not be mandatory until the title 32 CFR rulemaking is complete, and the CMMC program requirements have been implemented as needed into acquisition regulation through title 48 rulemaking.”

At the heart of CMMC was an assertion by Pentagon officials that the current system of allowing defense contractors to self-attest, or simply pledge, their adherence to cybersecurity standards outlined by the National Institute of Standards and Technology is not working. The officials pointed to continued theft of intellectual property by Chinese nation-state actors as their chief indicator.

In preventive steps news, Health IT Security tells us that

Healthcare organizations can have the most sophisticated internal security protocols, but failing to assess third-party risk may leave organizations vulnerable to data breaches nonetheless.

Threat actors are increasingly using third-party business associates as entry points into customer networks. Once inside the network, the malicious hackers may be able to encrypt files, access sensitive health data, and deploy ransomware on any organization that the associate does business with.

Hackers using third-party entities as an attack vector became a very prevalent threat in July 2021, when REvil threat actors launched a ransomware attack against IT management software company Kaseya and compromised the data of over 1,500 of its customers.

According to Jeremy Huval, HITRUST’s chief innovation officer, the Kaseya attack signaled an increase in impactful and frequent supply chain cyberattacks and underscored the need for better third-party risk management procedures.

Last but not least here is a link to the Bleeping Computer’s latest The Week in Ransomware.

The FBI issued advisories this week warning that HelloKitty has added DDoS attacks to their arsenal, that ransomware gangs commonly conduct attacks “during time-sensitive financial events,” and that gangs are targeting tribal-owned businesses, including casinos.

The Wall Street Journal reported on Monday that

The Russia-linked hackers behind last year’s compromise of a wide swath of the U.S. government and scores of private companies, including SolarWinds Corp. SWI -3.19% , have stepped up their attacks in recent months, breaking into technology companies in an effort to steal sensitive information, cybersecurity experts said.

In a campaign that dates back to May of this year, the hackers have targeted more than 140 technology companies including those that manage or resell cloud-computing services, according to new research from Microsoft Corp. The attack, which was successful with as many as 14 of these technology companies, involved unsophisticated techniques like phishing or simply guessing user passwords in hopes of gaining access to systems [a/k/a “password spraying”], Microsoft said.

“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain,” said Tom Burt, Microsoft’s corporate vice president for customer security and trust, according to a blog post provided ahead of the announcement by Microsoft on Monday.

Security Week adds that

Microsoft has also made available technical guidance that can help organizations detect attacks launched by Nobelium.

Last month, Microsoft published a blog post detailing a piece of malware used by the threat group to exfiltrate data from compromised servers.

ZDNet delves into the password spraying approach to hacking.

Microsoft’s Detection and Response Team (DART) has outlined two main password spray techniques, the first of which it calls ‘low and slow’. Here, a determined attacker deploys a sophisticated password spray using “several individual IP address to attack multiple accounts at the same time with a limited number of curated password guesses.” 

The other technique, ‘availability and reuse’, exploits previously compromised credentials that are posted and sold on the dark web. “Attackers can utilize this tactic, also called ‘credential stuffing,’ to easily gain entry because it relies on people reusing passwords and usernames across sites,” Microsoft explains.

From our Nation’s capital, Cyberscoop informs us that

The Cybersecurity and Infrastructure Security Agency [(CISA)] has begun working to map out the U.S. critical infrastructure that, if hacked, could result in serious consequences for national security and economic interests, CISA Director Jen Easterly said Friday.

Labeling such infrastructure is the subject of a proposal of the Cyberspace Solarium Commission, a congressional committee, which recommended identifying “systemically important critical infrastructure,” or SICI. Lawmakers have introduced SICI legislation in recent months, but Easterly said her Department of Homeland Security agency is proceeding ahead with or without a bill.

Moreover, per Cyberscoop

Federal Chief Information Security Officer Chris DeRusha, who has played an integral part in responding to the SolarWinds hack, is getting a second gig as deputy national cyber director for federal cybersecurity.

National Cyber Director Chris Inglis hailed DeRusha’s appointment on Twitter Thursday. * * *

DeRusha steps into his additional role at a time when questions persist on Capitol Hill about the breakdown of cyber roles within the federal bureaucracy. The national cyber director’s office is the newest addition to that bureaucracy, established only this year. The office is coming into being as the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency is increasingly focused on incident response and information sharing in the federal government, and as Deputy National Security Adviser Anne Neuberger probes ways for the U.S. to combat ransomware.

In an interview with The Washington Post that published Thursday, Inglis said the coordination with DeRusha should benefit federal agency cyber officials. “Particularly if you’re a chief information security officer, you’ll see us speaking complementary ways and using our resources in a collaborative manner,” he said.

Also HHS’s Office for Civil Rights, which enforces the HIPAA Privacy and Security Rules, issued its Fall 2021 Cybersecurity Newsletter. This newsletter’s topic is securing legacy systems.

Health IT Security explores the value of applying the zero trust model to health data.

Under the watchful eye of a zero trust security model, no device or user is automatically trusted before being vetted by strict authentication processes. Zero trust is not a single technology or tactic, but a set of cyber defenses that collectively look for threats outside and within a network perimeter.

Implementing a zero trust architecture could make a life-or-death difference in how healthcare organizations operate and respond to cybersecurity incidents. * * *

HC3 recommended that organizations begin zero trust implementation by employing a software-defined perimeter (SDP). SDP is a computer security approach that effectively hides internet-connected infrastructure, such as servers and routers, so that unauthorized third parties cannot see it. With this approach, the network perimeter is based in software rather than hardware and is less vulnerable to hackers.

Organizations should also consider Mesh VPNs, which use a peer-to-peer (P2P) architecture so that every device in the network can connect directly to a peer without going through a central gateway. Mesh VPNs are typically less expensive and easier to scale, HC3 noted.

Healthcare organizations may also benefit from a modern network access control (NAC) platform that can enforce access control and identify every device and user on the network before granting access. This approach provides continuous monitoring and ensures that every device and user is authenticated and trusted.

And as alway here’s a link to Bleeping Computers weekly report on ransomware.