The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued a threat brief providing information on the cyber organizations of the Russian Intelligence Services which pose a threat to organizations in the United States, including the healthcare and public health (HPH) sector.

The threat brief provides information on four key advanced persistent threat actors which conduct offensive cyber activities and espionage within the Russian Intelligence Services. These APT actors have been linked to the Federal Security Service (FSB), the Foreign Intelligence Service (SVR), and the Main Intelligence Directorate of the General Staff of the Armed Forces (GRU). The FSB is equivalent to the Federal Bureau of Investigation in the U.S and is mostly concerned with domestic intelligence and foreign intelligence from Russia’s near abroad. The SVR is equivalent to the U.S. Central Intelligence Agency (CIA) and collects foreign intelligence from military, strategic, economic, scientific, and technological targets. The GRU is the equivalent of the Defense Intelligence Agency (DIA) and collects foreign intelligence related to military issues through espionage and is also responsible for conducting destructive cyberattacks.

Turla

Turla, aka Venomous Bear/Iron Hunter/KRYPTON/Waterbug, operates under the direction of the FSB and mostly targets industries such as academic, energy, government, military, telecommunications, research, pharmaceutical companies, and foreign embassies, and has been active since at least 2004. The group is known to use malware and sophisticated backdoors and is mostly focused on diplomatic espionage activities in former Eastern Bloc countries, although was responsible for the attack on U.S. Central Command in 2008, G20 attendees in 2017, and the government computer network in Germany in 2018.

APT29

APT29, aka Cozy Bear, YTTRIUM, Iron Hemlock, and The Dukes, operates under the direction of the SVR and mostly targets the academic, energy, financial, government, healthcare, media, pharmaceutical, and technology industries and think tanks. The APT actor has been active since at least 2008 and uses a range of malware variants and backdoors. The APR actor mostly targets European and NATO countries and is known to conduct spear phishing campaigns to gain stealthy, long-term access to targets networks, and is especially persistent and focused on specific targets. The APT actor steals information but does not leak that information. APT29 is known to be behind the attack on the Pentagon in 2015, the SolarWinds Orion attack in 2020, and targeted COVID-19 vaccine developers during the pandemic.

APT28

APT28, aka Fancy Bear, STRONTIUM, Sofacy, Iron Twilight, operates under the direction of the GRU and has been active since 2004. APT28 targets the aerospace, defense, energy, government, healthcare, military, and media industries and dissidents. The group uses a variety of malware, a downloader for next-stage infections, and collects system information and metadata to distinguish real environments from sandboxes.

APT28 primarily targets NATO countries and is known to use password spraying, unique malware, phishing and credential harvesting, and tends to conduct noisy rather than stealthy attacks. The group steals and leaks information to further Russia’s political interests. The group was behind the attack on the World Anti-Doping Agency in 2016, the cyberattack and leaking of data from the U.S. Democratic National Committee and the Clinton Campaign in 2016, and the German and French Elections in 2016 and 2017.

Sandworm

Sandworm, aka Voodoo Bear, ELECTRUM, IRIDIUM, Telebots, and Iron Viking, operates under the direction of the GRU and has been active since at least 2007. Sandworm mainly targets the energy and government sectors and is the most destructive of all ‘Bear’ threat groups. SAndworm targets ICS and computer systems for destructive purposes, such as conducting wiper malware attacks, especially in Ukraine. The group appears unconcerned with 2nd and 3rd order effects of attacks, such as those of NotPetya, and uses malware such as BadRabbit, BlackEnergy, GCat, GreyEnergy, KillDisk, NotPetya, and Industroyer.

Sandworm was behind the multiple attacks on the Ukrainian government and critical infrastructure in 2015-2016 and 2022, attacks on Georgian websites before the Russian Invasion in 2008, and the NotPetya attacks in 2017.

Mitigations

The tactics, techniques, procedures, and malware used by each of these groups are diverse, but some mitigations can be implemented to improve resilience and block the main attack vectors. These are detailed in the HC3 report and include updating software, patching promptly, enforcing MFA, segmenting networks, and reviewing CVEs for all public-facing systems.

The post HHS Shares Information on Advanced Persistent Threat Groups Linked with the Russian Intelligence Services appeared first on HIPAA Journal.

An emergency directive has been issued by the Cybersecurity and Infrastructure Security Agency (CISA) to all federal agencies, requiring them to take steps to address two vulnerabilities in certain VMware products that are likely to be rapidly exploited in the wild, and two previous vulnerabilities in VMWare products that were disclosed in April which are being exploited by multiple threat actors, including Advanced Persistent Threat (APT) actors.

The latest vulnerabilities, tracked as CVE-2022-22972 (critical) and CVE-2022-22973 (high severity), and the two vulnerabilities from April affect 5 VMWare products:

• VMware Workspace ONE Access (Access) Appliance
• VMware Identity Manager (vIDM) Appliance
• VMware vRealize Automation (vRA)
• VMware Cloud Foundation
• vRealize Suite Lifecycle Manager

CVE-2022-22972 is an authentication bypass vulnerability affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation that affects local domain users. If a malicious actor has network access to the UI, the flaw can be exploited to gain administrative access without authentication. The vulnerability has been assigned a CVSS severity score of 9.8 out of 10.

CVE-2022-22973 is a local privilege escalation vulnerability in VMware Workspace ONE Access and Identity Manager with a CVSS severity score of 7.8. If a malicious actor has local access, the flaw can be exploited to escalate privileges to root. Both flaws also affect VMware Cloud Foundation and vRealize Suite Lifecycle Manager.

The two vulnerabilities known to have been exploited in the wild are tracked as CVE 2022-22954 (critical) and CVE 2022-22960 (high severity). CISA says both vulnerabilities have been exploited in real-world attacks, individually and in combination, by multiple threat actors.

CVE 2022-22954 is a code injection vulnerability with a CVSS score of 9.8 that affects VMware Workspace ONE Access and Identity Manager products. Exploitation of the flaw allows threat actors to trigger server-side template injection, which can lead to remote code execution. CVE 2022-22960 is an improper privilege management issue with a CVSS score of 7.8 that affects VMware Workspace ONE Access, Identity Manager, and vRealize Automation products, and allows threat actors to escalate privileges to root.

In one attack, a threat actor with network access to the web interface exploited CVE 2022-22954 to execute a shell command as a VMWare user, then exploited the second flaw to escalate privileges to root. After exploiting both flaws, the threat actor could move laterally to other systems, escalate permissions, and wipe logs. In another case, a threat actor deployed the Dingo-J-spy web shell after exploiting the flaws. Exploits for the two April vulnerabilities were developed by reverse-engineering the patches released by VMWare. Now patches have been released to fix the latest two vulnerabilities, similarly rapid exploitation of the flaws in the wild can be expected.

While the emergency directive only applies to Federal agencies, all organizations that are using vulnerable VMWare products should patch immediately or implement the recommended mitigations. The deadlines for Federal agencies to complete the required actions are May 23 and May 24, 2022.

The post CISA Issues Emergency Directive to Patch Vulnerable VMWare Products appeared first on HIPAA Journal.

A new bill has been introduced that seeks to address the cybersecurity of medical devices that will require manufacturers of medical devices to meet certain minimum standards for cybersecurity for the entire lifecycle of the products.

The medical device cybersecurity provisions of the bill – H.R. 7667 Food and Drug Amendments of 2022 – call for device manufacturers to “have a plan to appropriately monitor, identify, and address in a reasonable time postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and procedures,” and to “design, develop, and maintain processes and procedures to ensure the device and related systems are cybersecure.”

The processes and procedures should include making “updates and patches available to the cyber device and related systems throughout the lifecycle of the cyber device.” Those patches and updates are required on a reasonably justified regular cycle to address known vulnerabilities, and, as soon as possible out of cycle, to address critical vulnerabilities that could cause uncontrolled risks.

The bill also calls for manufacturers of medical devices to provide a cyber device software bill of materials in the labeling that states all commercial, open-source, and off-the-shelf software components that have been used in the devices, and manufacturers will need to comply with other requirements that may be introduced, such as being able to “demonstrate reasonable assurance of the safety and effectiveness of the device for purposes of cybersecurity.”

H.R. 7667 was proposed by Rep. Anna Eshoo, (D-CA), and was co-sponsored by Reps. Brett Guthrie, (R-KY), Frank Pallone, (D-NJ), and Cathy McMorris Rogers, (R-WA), and has now been referred to the House Committee on Energy and Commerce. The bill would amend the Food, Drug, and Cosmetic Act and extend the FDA user fee programs, which require manufacturers to pay fees when submitting applications to the FDA for product reviews. The amendments would extend the fee program to cover medical devices, prescription drugs, generic drugs, and other similar biological products.

Several bills have been introduced recently that seek to improve the cybersecurity of medical devices such as the PATCH Act, which was introduced by U.S. Senators Bill Cassidy, M.D. (R-LA) and Tammy Baldwin (D-WI) in March 2022. The PATCH Act also seeks to amend the Federal Food, Drug, and Cosmetic Act and requires all premarket submissions for medical devices to include details of the cybersecurity protections that have been implemented.

There is a clear need for changes to be made to current legislation to require medical device manufacturers to address cyber risks. The security of medical devices has attracted considerable attention of late due to the risk of vulnerabilities being exploited by cyber actors to gain access to healthcare networks, conduct denial-of-service attacks, and deliberately or inadvertently cause harm to patients.

While the FDA has published updated guidance for medical device manufacturers that includes recommendations for improving cybersecurity throughout the entire lifecycle of medical devices, they are only recommendations and are therefore non-binding.

The post Bill Introduced that Seeks to Improve Medical Device Cybersecurity appeared first on HIPAA Journal.

The average ransom payment in ransomware attacks fell by 34% in Q1, 2022, from an all-time high in Q4, 2021, according to ransomware incident response firm Coveware. The average ransom payment in Q1, 2022 was $211,259 and the median ransom payment was $73,906.

The fall in total ransom payments has been attributed to several factors. Coveware suggests ransomware gangs have been targeting smaller organizations and issuing lower ransom demands, due to the increased scrutiny by law enforcement when attacks are conducted on large enterprises. The median company size has been falling since Q4, 2020, and is now companies with around 160 employees. This appears to be the sweet spot, where the companies have sufficient revenues to allow sizable ransoms to be paid, but not so large that attacks will result in considerable scrutiny by law enforcement.

Another reason why total ransom payments have fallen is fewer victims of ransomware attacks have been paying the ransom. The number of victims of ransomware attacks that pay the ransom has been steadily declining, from 85% of victims in Q1 2019 to 46% of victims in Q1, 2022. Also, some of the most prolific ransomware operations have gone quiet, such as Maze and REvil (Sodinokibi).

Conti and LockBit are the most prolific ransomware operations, accounting for 16.1% and 14.9% of ransomware attacks respectively, followed by BlackCat/Alphv (7.1%), Hive (5.4%), and AvosLocker (4.8%). Coveware suggests that the affiliates who work with ransomware-as-a-service operations appear to be less keen to work with large RaaS groups, as those groups are often targeted by law enforcement. It is now common for affiliates to try smaller RaaS operations or even develop their own ransomware variants from leaked source code.

The most common attack vectors in ransomware attacks are phishing, Remote Desktop Protocol connections, and exploiting unpatched vulnerabilities in software and operating systems. Coveware has tracked an increase in other attack vectors since Q2, 2021, such as social engineering and the direct compromising of insiders. Social engineering attacks are similar to phishing but are highly targeted and often involve priming or grooming targeted employees before convincing them to provide access to the network. There has also been an increase in lone wolf attackers. Coveware identified the trend in late 2021, and it has continued throughout Q1, 2022. Attacks by these threat actors are often conducted on companies that have far better security than the average ransomware victim, such as multi-factor authentication properly enabled for all employees and critical resources.

In late 2019, the Maze ransomware operation started using double extortion tactics, where data is stolen from victims before files are encrypted. Payment must then be made for the decryptor and to prevent the publication or sale of stolen data. These tactics were rapidly adopted by many ransomware operations and became the norm, although there was a decline in attacks involving encryption and extortion in Q1, 2022. Double extortion was used in 84% of attacks in Q4, 2021, and 77% of attacks in Q1, 2022. While double extortion is likely to continue to be extensively used in attacks for the foreseeable future, Coveware expects the shift from data encryption to data extortion to continue, as data theft and naming and shaming victims are less likely to attract the attention of law enforcement. “Data theft without encryption results in no operational disruption but preserves the ability of the threat actor to extort the victim. We expect this shift from Big Game Hunting to Big Shame Hunting to continue,” explained Coveware in the report.

Coveware warned about paying the ransom to prevent the publication or sale of data, as there are no guarantees that payment will result in data deletion. In 63% of attacks where a ransom was paid to prevent publication or sale of stolen data, the attackers provided no proof of data deletion. In the remaining attacks where proof was provided, it could easily have been faked. When videos, screenshots, live screen shares, or deletion logs are provided as proof, victims must trust that a copy of the data has not been made. “In one notable case, we observed a threat actor explicitly state that they would not be deleting the stolen data if paid, and would keep it for future leverage against the victim,” said Coveware.

The post Average Ransom Payment Dropped by 34% in Q1, 2022 appeared first on HIPAA Journal.