Security Week reported yesterday that

The global fight against ransomware took a new twist this week with the United States leading a law enforcement effort to hack back and disrupt the extortion group behind the Colonial Pipeline cyberattack.

SecurityWeek has confirmed a Reuters report that the Tor servers associated with the REvil ransomware gang were seized in what was described as a “multi-country” hack-back operation that remains active.

Bleeping Computer discusses this ransomware development and others in its weekly update.

The Wall Street Journal adds that

A criminal organization believed to have built the software that shut down a U.S. fuel pipeline has set up a fake company to recruit potential employees, according to researchers at the intelligence firm Recorded Future and Microsoft Corp. MSFT -0.51%

The fake company is using the name Bastion Secure, according to the researchers. On a professional-looking website, the company says it sells cybersecurity services. But the site’s operator is a well-known hacking group called Fin7, Recorded Future and Microsoft say.

Fin7 is believed to have hacked hundreds of businesses, stolen more than 20 million customer records and written the software used in a hack that disrupted gasoline delivery in parts of the Southeastern U.S., federal prosecutors and researchers say.

From the prevention front:

The American Hospital Association has summarized the recent HC3 vulnerability news of interest to the health sector.

CISA has released a presentation on blockchain for the healthcare sector.

Security Week discusses efforts underway to fill encryption gaps.

The Society for Human Resources Management offers an article on reducing cybersecurity risks in hybrid (remote and office) work:

A Tessian survey found that 88 percent of data breaches involved human error.

And in a hybrid work environment, employees may pay less heed to the rules or simply be more likely to make mistakes since they’re not in a formal office, especially if they’re juggling family and other demands. In the Tessian survey, 43 percent of employees said they have made mistakes at work that compromised cybersecurity; 58 percent admitted having sent a company e-mail to the wrong person, often because they were distracted or tired.

“Every CISO [chief information security officer] I’ve spoken to is wondering what work-from-home means in terms of security, when there is zero distance between the office, the living room and the kitchen,” says Robert Holmes, Proofpoint’s vice president and general manager of email fraud defense.

To that end, executives would do well to encourage more cooperation between the technology side of the house and the people side. “This is an area where there’s a huge opportunity for the CHRO [chief human resource officer] and the CISO to have a strong relationship,” [Deloitte cyber leader Emily] Mossberg says. First, they can team up on training programs to increase security awareness. Second, the CISO can help HR strengthen practices, processes and systems to ensure the security of employee data in distributed work environments.

Tech Republic reports on a White House sponsored “virtual ransomware summit this week with over 30 countries in attendance—although a few notable nations were excluded, such as China, Russia and North Korea. Australia, Brazil, Canada, France, Germany, India, Japan, United Arab Emirates and the United Kingdom were among the attendees.”

Cyberscoop adds that

Nations must better clamp down on money laundering in order to disrupt ransomware gangs’ illicit financial transactions, according to a statement Thursday from more than 30 countries that participated in two days of White House meetings focused on slowing hackers and digital extortion.

The joint statement also included commitments to other methods of countering ransomware, such as encouraging cyber hygiene practices to the private sector, collaborating across law enforcement and national security agencies and using diplomatic pressure against nations that harbor cybercriminals. 

Bleeping Computer’s This Week in Ransomware discusses the summit and more.

ZDNet reports that

More than $5 billion in bitcoin transactions has been tied to the top ten ransomware variants, according to a report released by the US Treasury on Friday. 

The department’s Financial Crimes Enforcement Network (FinCen) and Office of Foreign Assets Control (OFAC) released two reports illustrating just how lucrative cybercrime related to ransomware has become for the gangs behind them. Parts of the report are based on suspicious activity reports (SAR) financial services firms filed to the US government.

FinCen said the total value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 was $590 million, which exceeds the $416 million reported for all of 2020.

Finally at this week’s CISA summit event marking Cybersecurity Awareness Week, the Acting U.S. Assistant Attorney General for the Civil Division Brian M. Boyton spoke about the Department’s Civil Cyber-fraud Initiative which leverages the False Claims Act to” identify, pursue and deter cyber vulnerabilities and incidents that arise with government contracts and grants and that put sensitive information and critical government systems at risk.”

We have identified at least three common cybersecurity failures that are prime candidates for potential False Claims Act enforcement through this initiative. 

First, the False Claims Act is a natural fit to pursue knowing failures to comply with cybersecurity standards. When government agencies acquire cyber products and services, they often require contractors and grantees to meet specific contract terms, which are often based on uniform contracting language or agency-specific requirements. For example, cybersecurity standards may require contractors to take measures to protect government data, to restrict non-U.S. citizen employees from accessing systems or to avoid using components from certain foreign countries. The knowing failure to meet these cybersecurity standards deprives the government of what it bargained for. 

Second, False Claims Act liability may be based on the knowing misrepresentation of security controls and practices. In seeking a government contract, or performing under it, companies often make representations to the government about their products, services, and cybersecurity practices. These representations may be about a system security plan detailing the security controls it has in place, the company’s practices for monitoring its systems for breaches, or password and access requirements. Misreporting about these practices may cause the government to choose a contractor who should not have received the contract in the first place. Or it could cause the government to structure a contract differently than it otherwise would have. Knowing misrepresentations of this kind also deprive the government of what it paid for and violate the False Claims Act.   

Finally, the knowing failure to timely report suspected breaches is another way a company may run afoul of the Act. Government contracts for cyber products, as well as for other goods and services, often require the timely reporting of cyber incidents that could threaten the security of agency information and systems. Prompt reporting by contractors often is crucial for agencies to respond to a breach, remediate the vulnerability and limit the resulting harm. 

At bottom, the department’s Civil Cyber-Fraud Initiative will hold accountable entities or individuals that put U.S. information or systems at risk.     

October is National Cybersecurity Awareness Month. The FEHBlog reminds readers that

CISA will host its fourth annual National Cybersecurity Summit on Wednesdays during the month of October. The 2021 Summit will be held as a series of four virtual events bringing stakeholders together in a forum for meaningful conversation:

Oct. 6 – Assembly Required: The Pieces of the Vulnerability Management Ecosystem 

Oct. 13 – Collaborating for the Collective Defense 

Oct. 20 – Team Awesome: The Cyber Workforce 

Oct. 27 – The Cyber/Physical Convergence

Register for this free summit and read more about the presentations at CISA.gov/cybersummit2021

Security Week offers an article on ways to support this national effort.

Also yesterday, October 1, according to ZDNet,

The White House plans to convene a 30-country meeting this month to address cybersecurity, President Biden said in a statement Friday. 

The topics of the meeting, Biden said, will include combating cybercrime, improving law enforcement collaboration, stemming the illicit use of cryptocurrency, building trusted 5G technology and better securing supply chains. 

From Capitol Hill, Senator Gary Peters (D Mich.) tells us about American Rescue Plan funding totaling $1 billion that is being used to modernize federal IT systems. Here is a complete list of the unclassified Technology Modernization Funds projects.

With respect to cybersecurity practices

• Earlier this week, CISA and the National Security Administration “released the cybersecurity information sheet Selecting and Hardening Standards-based Remote Access VPN Solutions to address the potential security risks associated with using Virtual Private Networks (VPNs). Remote-access VPN servers allow off-site users to tunnel into protected networks, making these entry points vulnerable to exploitation by malicious cyber actors.” Here is a Cyberscoop article on this development.

• Helpnetsecurity.com offers an interesting article about the move from password verification to identity verification to secure networks against cyberattacks. “Identity verification is the most important step in an organization’s system for providing access, and authentication cannot occur until identity is established. This is known as identity-based authentication and it is the foundation of effective security measures. Once identity is established with a high level of efficacy, password-based credentials become obsolete. The end goal is not passwordless solutions – the goal is identity-based authentication, with passwordless as a means to that end.”

• The National Institute of Standards and Technology issued its 2020 annual report (SP 800-214) last week.

As always, here is a link to Bleeping Computer’s The Week in Ransomware.

From the Capitol Hill front, we learn from Cyberscoop that

• Last Monday, September 20, nine Senate Democrats wrote a letter to the Federal Trade Commission urging the agency to adopt stronger rules cracking down on privacy violations and data breaches.

• “The Department of Homeland Security’s cyber division, a key government agency charged with helping stop and respond to cyberattacks, might be getting ready for a bigger role in the spotlight. * * * Both chambers of Congress are contemplating legislation that would make CISA the hub where vital companies would report major cybersecurity incidents, following the string of monumental cyberattacks that began with the SolarWinds breach in December.” The article also discusses a planned large infusion of federal funding to CISA.

• “The head of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency testified at a Senate hearing Thursday [September 23] in favor of requiring critical infrastructure owners and operators, federal contractors and agencies to report attacks to CISA within 24 hours of detection. * * * At Thursday’s hearing, Easterly further advocated for CISA and the Justice Department to decide what kinds of companies would have to meet the reporting requirements, rather than writing them specifically into the bill. She also advocated fines, rather than subpoenas, to compel companies to obey the reporting requirements. * * * National Cyber Director Chris Inglis, testifying at the same hearing, said he agreed with Easterly’s preferences.”

From the guidance front

• On September 21, CISA laid out cybersecurity goals and objectives for critical infrastructure owners. “[W]hile all of the goals outlined in this document are foundational activities for effective risk management, they represent high-level cybersecurity best practices.”

• On the same day, the HHS Office for Civil Rights which enforces the HIPAA Privacy and Security Rules posted a list of ransomware resources for HIPAA covered entities.

• Security Week offers an interesting article on working securely from anywhere with Zero Trust.

From the ransomware front

• A federal government cybersecurity alert was issued on September 22 about Conti ransomware. “CISA, FBI, and NSA encourage network defenders to examine their current cybersecurity posture and apply the recommended mitigations in the joint CSA, which include:  

• Updating your operating system and software, 
• Requiring multi-factor authentication, and  
• Implementing network segmentation.

• Last but not least here is a link to current Bleeping Computer post on the Week in Ransomware.

This week’s biggest news is the USA sanctioning a crypto exchange used by ransomware gangs to convert cryptocurrency into fiat currency. By targeting rogue exchanges, the US government is hoping to disrupt ransomware’s payment system.

This other interesting news this week is a list of vulnerabilities commonly used by ransomware gangs and how the REvil operators reportedly use their operator key to hijack negotiations from affiliates.

Action / Reaction

• Fierce Healthcare reported on September 13 that

An unsecured database containing over 61 million records related to fitness trackers and wearables exposed Apple and Fitbit users’ data online.

Researchers with WebsitePlanet and security researcher Jeremiah Fowler discovered a non-password-protected database that contained tens of millions of records belonging to fitness tracking and wearable devices and apps. The unsecured database belonged to GetHealth, which offers a unified solution to access health and wellness data from hundreds of wearables, medical devices and apps, according to a WebsitePlanet report posted Monday.

The cybersecurity team discovered the unsecured database June 30, ZDNet reported. Fowler said he immediately sent a disclosure notice to the company of the security findings. GetHealth responded rapidly, and the system was secured within a matter of hours, ZDNet reported.

“It is unclear how long these records were exposed or who else may have had access to the dataset,” Fowler wrote in the report.

“We are not implying any wrongdoing by GetHealth, their customers or partners. Nor, are we implying that any customer or user data was at risk,” he wrote.

• On Thursday, September 16, Cyberscoop reported

App developers and device operators that collect health data about Americans must alert consumers in the event their personal information is compromised or shared without permission, the Federal Trade Commission ruled Wednesday.

The U.S. consumer protection agency voted 3-2 on a new regulation that is meant to clarify the 2009 Health Notification Rule, which details how companies should tell consumers if their data is improperly shared or breached. The decision Wednesday extends the 2009 rule to cover health apps, fitness trackers and other connected devices that have risen in popularity over the past decade.

From the survey front,

• Health IT Security informs us that “Google and Microsoft amassed the most vulnerabilities compared to other major tech companies in the first half of 2021, researchfrom Atlas VPN revealed. During the first half of 2021, Google accumulated 547 registered vulnerabilities. Microsoft followed close behind at 432.” Ruh roh.

• CRN discusses the ten biggest cybersecurity risks that business face this year.

In ransomware news —

• The Wall Street Journal advised us yesterday that

The Biden administration is preparing an array of actions, including sanctions, to make it harder for hackers to use digital currency to profit from ransomware attacks, according to people familiar with the matter. 

The government hopes to choke off access to a form of payment that has supported a booming criminal industry and a rising national security threat.

The Treasury Department plans to impose the sanctions as soon as next week, the people said, and will issue fresh guidance to businesses on the risks associated with facilitating ransomware payments, including fines and other penalties. Later this year, expected new anti-money-laundering and terror-finance rules will seek to limit the use of cryptocurrency as a payment mechanism in ransomware attacks and other illicit activities.

The actions collectively would represent the most significant attempt yet by the Biden administration to undercut the digital finance ecosystem of traders, exchanges and other elements that cybersecurity experts say has allowed debilitating ransomware attacks to flourish in recent years.

• Security Week offers a related report on understanding the cryptocurrency – ransomware connection.

• And no Cybersecurity Saturday post would be complete without a link to Bleeping Computer’s The Week in Ransomware. “This week’s biggest news is that soon after REvil returned from its two-month absence, Bitdefender released a master decryptor that allows victims encrypted by REvil before July 13th to recover their files for free.”

From the ransomware front, Bleeping Computer reports today that “The REvil ransomware gang has fully returned and is once again attacking new victims and publishing stolen files on a data leak site.” REvil was responsible most recently for the JBS meat packing plant and the Kayesa hacks. Following the Kayesa hack, the gang went into virtual hiding.

After their shutdown, researchers and law enforcement believed that REvil would rebrand as a new ransomware operation at some point. However, much to our surprise, the REvil ransomware gang came back to life this week under the same name.

Also here is a link to Bleeping Computer’s the Week in Ransomware.

ZDNet offers an interesting article on ransomware targets.

On Monday, KELA published a report on listings made by ransomware operators in the underground, including access requests — the way to gain an initial foothold into a target system — revealing that many want to buy a way into US companies with a minimum revenue of over $100 million. * * *

Ransomware groups such as Blackmatter and Lockbit may cut out some of the legwork involved in a cyberattack by purchasing access, including working credentials or the knowledge of a vulnerability in a corporate system. 

* * * Roughly half of the ransomware operators will, however, reject offers for access into organizations in the healthcare and education sector, no matter the country. In some cases, government entities and non-profits are also off the table. * * *

[T{here are preferred methods of access. Remote Desktop Protocol (RDP), Virtual Private Network (VPN)-based access prove popular. Specifically, access to products developed by companies including Citrix, Palo Alto Networks, VMWare, Cisco, and Fortinet.  

ZDNet further reports that

All the time spent ticking boxes in cybersecurity training sessions seems to be paying off after all: according to a new report, about a third of emails reported by employees really are malicious or highly suspect, demonstrating the effectiveness of the well-established maxim “Think before you click”.  

IT security company F-Secure analyzed over 200,000 emails that were flagged by employees from organizations across the globe in the first half of 2021, and found that 33% of the reports could be classified as phishing.

On the zero trust front, FCW informs us that “The push to convert federal networks, systems and devices to a zero trust security architecture is accelerating, with the release of three new draft guidance documents as part of the White House administration’s push to improve the nation’s cybersecurity” and the Wall Street Journal provides us with a Deloitte produced guide to zero trust cybersecurity.

For those with a law enforcement orientation, the Wall Street Journal tells us that the secret vulnerability of cybercrime gang is the burnout of their foot soldiers. The reporters had interviewed scores of lower level cybercrime workers, among other investigative techniques. Their conclusions:

[W]hen authorities targeted the support staff—the labor force that the cybercrime industry depends on—with a few arrests and made their jobs even more miserable than usual through coordinated shutdowns of server networks, the effect was much greater. This is not unlike putting pressure on a mafia accountant, as opposed to arresting crime bosses. 

In our research, we saw that when authorities attacked the cybercrime infrastructure this way, the services became unreliable and their customers thought they were being scammed, flooding their chat channels with complaints. When servers went down, so did the business of all the criminals who were renting that infrastructure. Cyberattacks declined.

Conventional wisdom suggests that disrupting the infrastructure of cybercrime services by taking down their servers is merely a game of Whac-A-Mole, with these groups able to set up new systems fairly quickly. But that doesn’t take into account the effect on cybercrime workers: We found that these takedowns were extremely frustrating for the people working behind the scenes. We even began to see people quitting the business, burned out from the stress of having to provide round-the-clock customer service and system administration under increasing scrutiny from the police.

Oh joy, Bleeping Computer’s The Week in Ransomware is back after two weeks and it is chock-a-block full of useful information. Check it out.

From the entrepreneurial hacking front, Bleeping Computer also reports that “Hackers are actively scanning for and exploiting a recently disclosed Atlassian Confluence remote code execution vulnerability to install cryptominers after a PoC exploit was publicly released. Atlassian Confluence is a very popular web-based corporate team workspace that allows employees to collaborate on projects.”

Cyberscoop tells us about on going discussions on Capitol Hill about reaching a consensus on wide ranging cybersecurity incident reporting laws.

Battle lines are drawn in Congress over legislation that would require companies to report some cyber incidents to the federal government, with industry groups lining up to support a House of Representatives bill poised to create fewer challenges for business leaders than a similar proposal in the Senate.

The debate involves questions about how quickly companies would have to report attacks, what kinds of specific intrusions would trigger notification and whether failure to comply with the rules would lead to financial penalties. The idea of breach notification legislation gained momentum following last year’s discovery of the SolarWinds hack that compromised nine federal agencies and some 100 companies, as well as the Colonial Pipeline ransomware attack in May.

At issue are such questions as whether companies have 24 or 72 hours to report an incident, along with who would be on the hook outside of critical infrastructure owners and operators, if anyone.

Cyberscoop adds

The bill under discussion in the House would provide companies that share breach data protections against lawsuits, and specifies no punishments for not complying. The Senate bill authorizes financial penalties tied to a company’s gross revenue. Naturally, the private sector prefers not to face penalties, according to the Senate aide.

And while the Senate legislation leaves it to CISA to define what kinds of “cybersecurity incidents” trigger notification requirements, the House legislation defines them as those “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.” Further, the Senate version requires reporting of confirmed and potential intrusions, while the House bill only applies to confirmed intrusions.

Because there is no Congressional election this year, Congress will have plenty of time this fall to resolve these differences and enact a law.

A friend of the FEHBlog called his attention this very useful list of cybersecurity resources created by the College of Healthcare Information Management Executives (“CHIME”).

On Wednesday August 25, the President led a summit conference between his administration and business leaders about cybersecurity. The Wall Street Journal reports that the President

called the issue “the core national security challenge we are facing.”

Top tech executives, including Apple Inc.’s Tim Cook, Amazon.com Inc.’s Andy Jassy, Microsoft Corp.’s Satya Nadella and Alphabet Inc.’s Sundar Pichai attended the White House meeting, according to a list of participants shared by an administration official. The guest list also included JPMorgan Chase & Co. CEO Jamie Dimon and Brian Moynihan, president and CEO of Bank of America Corp. , among other representatives of the financial industry.

Here’s a link to the White House’s fact sheet on the conference which highlights its significant accomplishments. Cyberscoop adds that “While impressive, observers noted, those commitments will require considerable follow-up, from expansion to other sectors to policy changes that could emerge from closer-knit relationships between industry and government.”

Last Monday, the FEHBlog attended a Federal Contract Institute webinar on combatting ransomware. The speakers, who were lawyers, suggested placing as many speed bumps, e.g., dual authentication, encryption, DMARC, as you reasonably can in front of the ransomware crook. Your run of the mill ransomware crook will switch intended victims if the first intended victims servers appear difficult to crack. The speakers also recommended supplementing NIST 800-171 , which focuses on preserving the confidentiality of data, with NIST IR 8374 , a June 21 draft which focuses on preserving the integrity and available of data. The speakers noted the CISA’s www.ransomware.gov  site provides a helpful double check to identify available speed bumps.

Speaking of ransomware, the author of Bleeping Computer’s The Week in Ransomware must be on vacation because the FEHBlog cannot find the August 27 issue. In any event, Bleeping Computer does report that yesterday August 27, ‘T-Mobile’s CEO Mike Sievert said that the hacker behind the carrier’s latest massive data breach brute forced his way through T-Mobile’s network after gaining access to testing environments.” Cyberscoop adds that

“Americans already trying to avoid calls from telemarketers, call support scammers and long-winded in-laws now have another reason to ignore that ringing phone: ransomware hackers. Scammers affiliated with a digital extortion outfit known as Hive are using phone calls to dial victims who are infected with a malicious software strain that locks up their files until they agree to pay a hostage fee, according to an August 25 FBI alert. Investigators first observed hackers deploying the malware in June, with attackers leveraging Microsoft’s Remote Desktop Protocol to infect business networks.”

Here are a couple of cybersecurity defense links that are worth a gander in the FEHBlog’s opinion:

• Security Week discusses how threat detection is evolving.
• The publication also explains how to defeat (avoid?) a false sense of cybersecurity.

Today is the 25th anniversary of President Clinton signing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) into law. Ponder that, my friends.

Let’s start of today with a link to Bleeping Computer’s The Week in Ransomware:

Ransomware gangs continue to attack schools, companies, and even hospitals worldwide with little sign of letting up. [At the link] we have tracked some of the ransomware stories that we are following this week.

Stories of particular interest revolve around new features and tactics used by some of the ransomware operations.

After analyzing the Conti training material leaked earlier this month, we learned that they use a legitimate remote access software to retain persistence on a compromised network. We also learned that they prioritize searching for cyber insurance policies and financial documents after taking control of a network

There is some good news, as Emsisoft has released a SynAck ransomware decryptor after the master decryption keys were released by the threat actors earlier this month.

Earlier this week Security Week reported that the “U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week published a new document providing recommendations on how to prevent data compromise during ransomware attacks.”

Although it’s not healthcare, it’s a big hack. The Wall Street Journal reports that “The breach of T-Mobile US Inc. allowed hackers to steal information about more than 54 million people and potentially sell the data to digital fraudsters and identity thieves.” The Journal adds that “T-Mobile has set up a website containing information about the breach and advice on how consumers can protect themselves.”

From the advice column

• Tech Republic informs us based on an interview with a cybersecurity lawyer that “Expert says people are becoming smarter about the links they click on and noticing the ones they shouldn’t, giving hope for the future of cybersecurity.” Keep up the good work, friends.
• HITConsultant.net discusses three way that healthcare organizations can work to prevent insider security threats, to with (1) prioritize employee education without burning them out; (2) improve IT hygiene, and (3) implement a zero trust approach.
• For more on the zero trust approach check out this helpnetsecurity.com article.

Finally, the Wall Street Journal offers an interesting article on a Deloitte study about using technology to improve the health plan member experience. Check out, and again Happy Birthday HIPAA.