Strategic insights for leaders from tactical cyber observers.
As the world becomes increasingly dependent on the internet and cyberspace remains a contested environment, leaders must monitor geopolitical and cybersecurity risks more than ever. LookingGlass presents the Cyber Monitor – a weekly rollup of analysis and trending topics in cybersecurity for executives to keep abreast of threats, incidents, and risks to their organization and national security.
TABLE OF CONTENTS
EDITOR’S HIGHLIGHTS
→ Apple’s network traffic reportedly took an unexpected detour through Russian networking equipment for about twelve hours between July 26 and 27. In a write-up for MANRS (Mutually Agreed Norms for Routing Security), a public interest group that looks after internet routing, reported that Russia’s Rostelecom started announcing routes for part of Apple’s network on Tuesday, in an act of BGP (Border Gateway Protocol) hijacking. While re-routing can happen accidentally, some bad route announcements are malicious. Apple’s routing change was detected by BGPstream (Cisco Works), and by GRIP Internet Intel (GA Tech). Apple has not responded to requests for comment and has not made any public statements about the re-routing allegations as of 28 July. And it is unclear which services could have been impacted by this incident. The Register
Analyst Comment: While unconfirmed at this time, LGC analysts suspect this to be a case of BGP hijacking. This rerouting happens when an attacker falsely announces ownership of a range of IP addresses, thereby causing the range to be redirected to the attackers destination routes. If successful it would allow the attacker to monitor, intercept or even blackhole the traffic on these rerouted ranges.
→ Two ransomware variants that recently surfaced are hitting targets worldwide – the latest confirmation of the growing attacker interest in VMware ESXi environments. One of the malware tools, dubbed Luna, is written in Rust and can encrypt data on ESXi virtual machines (VMs) in addition to data on Linux and Windows systems. The other is Black Basta, a rapidly proliferating ransomware variant written in C++ that, like Luna, targets ESXi VMs and also works on Windows and Linux systems. The two add to a collection of ransomware variants aimed at ESXi, VMware’s bare-metal hypervisor for running virtual machines. Other recent examples of malware targeting ESXi environments include Cheerscrypt, LockBit, RansomEXX, and Hive. The proliferation of ransomware targeting ESXi systems poses a major threat to organizations using the technology. An attacker that gains access to an EXSi host system can infect all virtual machines running on it and the host itself. If the host is part of a larger cluster with shared storage volumes, an attacker can infect all VMs in the cluster as well, causing widespread damage. Vulnerabilities are another factor likely fueling attacker interest in ESXi as VMware has disclosed multiple vulnerabilities in recent months. In February, the company disclosed five flaws that affected ESXi (CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, and CVE-2021-22050). Moreover, Matthew Warner, chief technology officer and co-founder at Blumira, points to the Log4j vulnerability as another likely reason for the growing attacker interest in ESXi environments. Warner highlighted that VMware has a wide range of solutions that utilized Log4j and were impacted by the vulnerability. Although VMware acted quickly to provide mitigation guidance, many likely ignored the mitigation advice and are now the targets of threat actors. Dark Reading
Analyst Comment: Luna ransomware highlights another trend in which ransomware groups use various languages such as Rust or Golang to create malware that can target multiple systems with little to no changes. A few weeks ago, the Cyber Monitor reported on the new RedAlert ransomware that also targets VMWare ESXi servers. These emerging trends highlight how ransomware groups continue to evolve and adopt new tactics, techniques, and procedures. Due to the increase in vulnerabilities that affect ESXi environments, it is critical that organizations patch any vulnerabilities to protect their systems from ransomware threats.
→ An underground economy that mirrors its legitimate e-commerce counterpart is facilitating online criminal behavior, according to a report by HP Wolf Security in collaboration with Forensic Pathways. Cybercrime is becoming more of a profession with easy-to-launch malware and ransomware attacks being offered on a software-as-a-service (SaaS) basis, allowing people with rudimentary IT skills to launch cyberattacks, the report notes. It found that competition in the underground has driven down the price of malicious tools, making them affordable to anyone. In an analysis of 174 exploits advertised on the dark web, HP Wolf researchers found that 91 percent were selling for less than $10. A look at 1,653 malware ads revealed more than three quarters (76 percent) selling for under $10. And on average, information stealers were selling for $5, remote access Trojans (RATs) for $3, exploits for $2.23, and crypters for $1. The underground market is also adopting more mechanisms to encourage fair dealings between buyers and sellers, including vendor feedback scores. In addition, 92 percent of the marketplaces have a third-party service for resolving disputes, 85 percent have escrow services, and 77 percent require “vendor bonds,” which must be paid before anyone can start selling in the marketplace. Looking ahead, the report identified trends security pros should be aware of, including an increase in destructive data denial attacks, a continued blurring of the lines between criminals and nation-state threat actors, an increase in leading-edge technologies to power malicious activities, and nation-states using cybercrime to generate GDP. CSO Online
Analyst Comment: LookingGlass expects to see an increase in new cybercriminals on the underground due to the decrease in the price of malicious tools. As the tools become more accessible, more actors are likely to test their skills and evolve their underground activity. This can also result in the development of more tools such as malware and ransomware strains as actors buy a tool and try to make slight changes to it to make it their own and profit off of it.
NATION STATE ACTIVITY
→ Threat analysts have uncovered a new campaign attributed to APT37, a North Korean group of hackers, targeting high-value organizations in the Czech Republic, Poland, and other European countries. In this campaign, the hackers use malware known as Konni, a remote access trojan (RAT) capable of establishing persistence and performing privilege escalation on the host. Konni has been associated with North Korean cyberattacks since 2014, and most recently, it was seen in a spear-phishing campaign targeting the Russian Ministry of Foreign Affairs. The ongoing campaign was observed and analyzed by researchers at Securonix, who call it STIFF#BIZON. While the tactics and tools point to APT37, Securonix underscores the possibility of APT28 (aka FancyBear) being behind the STIFF#BIZON campaign. “There seems to be a direct correlation between IP addresses, hosting provider, and hostnames between this attack and historical data we’ve previously seen from FancyBear/APT28,” concludes the report. State-sponsored threat groups often attempt to mimic the TTPs of other skillful APTs to obscure their trace and mislead threat analysts. In this case, the chances of misattribution are significant. Bleeping Computer
Analyst Comment: This campaign demonstrates challenges of cyber attribution. The underlying architecture of the internet provides multiple ways for attackers to hide their tracks. It is becoming harder to distinguish attackers based on the TTPs used because of the use of “off the shelf” tools and malware. Russian APT groups have previously conducted false-flag cyberattacks, including APT28 targeting France’s TV5Monde television channel posing as ISIS “Cyber Caliphate,” and APT Turla targeting 35 countries using Iranian infrastructure. Attribution challenges may have a negative effect on developing appropriate cyber defense and deterrence measures.
→ An unknown Chinese-speaking threat actor has been attributed to a new kind of Unified Extensible Firmware Interface (UEFI) firmware rootkit called CosmicStrand. According to Kaspersky, the rootkit is located in the firmware images of Gigabyte or ASUS motherboards, and all the images are related to designs using the H81 chipset. This suggests that a common vulnerability may exist that allows attackers to inject their rootkit into the firmware’s image, according to Kaspersky. Victims identified are said to be private individuals located in China, Vietnam, Iran, and Russia, with no discernible ties to any organization or industry vertical. The goal of the attack is to tamper with the OS loading process to deploy a kernel-level implant into a Windows machine every time it’s booted and use this entrenched access to launch shellcode. The shellcode connects to a remote server to fetch the actual malicious payload to be executed on the system. Kaspersky’s attribution to a Chinese-speaking threat actor stems from code overlaps between CosmicStrand and other malware such as the MyKings (aka Smominru and DarkCloud) cryptocurrency botnet and MoonBounce, with the former characterized as a “relentless” malware featuring an extensive infrastructure comprising bootkits, coin miners, droppers, and clipboard stealers, among others. The Hacker News
Analyst Comment: LookingGlass researchers have observed a steady increase in both cybercriminals and nation-state adversaries conducting firmware-based attacks throughout 2020, 2021 and 2022. Previously almost exclusively within the toolkits of nation-state adversaries, these attacks and tools have become increasingly commoditized and are most commonly used by less skilled cybercriminals. The lack of visibility and defense at this level of the attack surface makes it a very attractive feature for operators and the malwares persistence even after an entire operating system rebuild allows them to maintain a foothold on the compromised environments.
HACKTIVISM
→ Ukrainian radio stations were hacked last week by threat actors to spread fake news about President Volodymyr Zelensky’s health, according to Ukraine’s security officials. A music program on “at least one” out of TAVR Media’s stations – one of Ukraine’s largest radio networks – was interrupted by the false reports on July 21. The unidentified hackers broadcasted reports that Zelensky was hospitalized “in an intensive care ward” and that he was temporarily delegating his presidential responsibilities to Ruslan Stefanchuk, Chairman of the Ukrainian parliament. Following the hack, Zelensky addressed the false information, stating: “I am in the office and I have never felt as healthy as I do now” and accusing Russia of orchestrating the attack. Info Security
Analyst Comment: The TAVR Media hack is an example of how threat actors use cyber attacks for disinformation and psychological operations. Since the start of the full-scale invasion of Ukraine, LookingGlass has observed pro-Russian groups using various methods to spread disinformation and propaganda, including deepfake technology, a network of Telegram channels, and defacement of the websites belonging to Ukrainian organizations.
CYBERCRIME
→ Digital security giant Entrust has confirmed it suffered a cyberattack where threat actors breached their network and stole data from internal systems. The breach was publicly confirmed when security researcher Dominic Alvieri tweeted a screenshot of a security notice sent to Entrust’s customers on July 6th. “I am writing to let you know that on June 18, we learned that an unauthorized party accessed certain of our systems used for internal operations. We have been working tirelessly to remediate this situation since that moment,” reads a security notice from Entrust CEO Todd Wilkinson. The security notice confirms that data was stolen from Entrust’s internal systems; however, it is not known if it is purely corporate data or customer and vendor data as well. Depending on what data was stolen, this attack could impact many critical organizations that use Entrust for identity management and authentication, including US government agencies. BleepingComputer has learned that a well-known ransomware gang was behind the attack – the operation will likely become known when the group publishes the stolen data unless Entrust pays a ransom demand. Vumetric Cyber Portal BleepingComputer
Analyst Comment: According to the BleepingComputer report, a well-known ransomware gang purchased and used Entrust compromised credentials to conduct the attack. The use of valid account credentials is a common technique that can be leveraged during different stages of a cyberattack, including Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials can be easily purchased on underground marketplaces with the price for most credentials ranging between $3.50 and $100, according to LookingGlass research.
→ The APT actor Evilnum is targeting European financial and investment entities. “Evilnum is a backdoor that can be used for data theft or to load additional payloads,” enterprise security firm Proofpoint said in a report shared with The Hacker News. Targets include organizations with operations supporting foreign exchanges, cryptocurrency, and decentralized finance (DeFi). Active since 2018, Evilnum is tracked by the wider cybersecurity community using the names TA4563 and DeathStalker. The latest set of activities flagged by Proofpoint incorporates updated TTPs relying on a mix of Microsoft Word, ISO, and Windows Shortcut (LNK) files sent as email attachments in spear-phishing emails to the victims. Other variants of the campaign spotted in early 2022 have made use of financial lures to entice recipients into opening .LNK files within malicious ZIP archive attachments or clicking on OneDrive URLs containing either an ISO or LNK file. Although no next-stage malware executables were identified, the backdoor is known to act as a conduit to deliver payloads from the malware-as-a-service (MaaS) provider Golden Chickens. The Hacker News
Analyst Comment: Evilnum has long targeted financial technology (FinTech) and other entities engaged in financial activity. The group is unaffiliated with any state actor. Instead, Evilnum is focused on retrieving sensitive business information, likely in a “hacker-for-hire” mode, and conducts attacks within a limited scope. While the most recent targets are unnamed, they include at least one intergovernmental organization that works with international migration. It is noteworthy that some of Evilnum’s recent activity aligns temporally with the Russian invasion of Ukraine. The ultimate recipient of stolen data is unknown; however, conflict and economic uncertainty make for fertile targeting grounds for a group such as Evilnum.
→ Some cryptocurrency platforms that have lost millions of dollars in digital heists are offering some of the money to attackers if they give back the rest. Victims have offered as much as $10M in these efforts, and have likened them to the bug bounties paid to security researchers for uncovering software flaws. Similar to ransom payments, the deals may allow a company to get back to normal after a cyberattack, security experts say. But vulnerability specialists disapprove of the practice of branding them as “bug bounties.” To them, the practice legitimizes thieves by conflating them with white-hat hackers, who report software flaws for a fee. Ethical hackers deal directly with companies, including multinationals, such as Microsoft, or go through third-party platforms. According to crypto-research firm Chainalysis, North Korean-linked groups have stolen more than $1B, largely from decentralized financial platforms. WSJ
→ A hacker claims to have the phone numbers and mail addresses of ~5.5M Twitter users and is selling the database for $30k. On Thursday, July 21, a threat actor identified as ‘devil’ offered the database on a hacking forum: “Hello, today I present you data collected on multiple users who use Twitter via a vulnerability. 5485636 users, to be exact”, the post says. “These users range from Celebrities to Companies, randoms, OGs, etc.” According to a report by RestorePrivacy, the flaw exploited to collect the data is the same that was disclosed by HackerOne on January 1st and was fixed on January 13th. HackerOne stated at the time that the vulnerability allowed any party without authentication to obtain a user’s Twitter ID by submitting a phone number or email even if the user had prohibited this action in the privacy settings. Hackers abused the vulnerability by inputting email addresses and phone numbers to extract account IDs. Equipped with these IDs, they most likely scraped all remaining public data to establish user profiles. Techzine
Analyst Comment: Based on LookingGlass research, a small amount of Twitter data that threat actor ‘devil’ provided on Breached Forums as a sample, appears to be accurate. The leaked data (phone numbers and email addresses associated with Twitter accounts) can be used by attackers for nefarious purposes, including phishing and smishing attacks targeting Twitter users.
→ Candiru, an Israeli spyware vendor, was discovered using a zero-day vulnerability (CVE-2022-2294) in Google Chrome to spy on journalists and other individuals of interest in the Middle East with the “DevilsTongue” spyware. Avast, a Czech cybersecurity firm, linked the exploitation to Candiru (aka Saito Tech), which has a history of exploiting previously unknown flaws to deploy DevilsTongue, a system with Pegasus-like capabilities. Candiru, along with NSO Group, Computer Security Initiative Consultancy PTE. LTD., and Positive Technologies, were added to the entity list by the US Commerce Department in November 2021 for engaging in “malicious cyber activities.” The firm’s findings shed light on multiple attack campaigns carried out by the Israeli hack-for-hire vendor, which is said to have returned in March 2022 with a revamped toolset to target users in Lebanon, Turkey, Yemen, and Palestine via watering hole attacks using Google Chrome zero-day exploits. The attackers began the infection sequence in Lebanon by compromising a website used by employees of a news agency in order to inject malicious JavaScript code from an actor-controlled domain that is responsible for redirecting potential victims to an exploit server. A profile of the victim’s browser is created using this watering hole technique, which includes details such as language, timezone, screen information, device type, browser plugins, referrer, and device memory, among others. The researchers evaluated the data gathered to ensure that the exploit was only delivered to the intended targets. If the hackers believe the collected data is valuable, the zero-day exploit is delivered to the victim’s machine via an encrypted channel. While the sophisticated malware can record the victim’s webcam and microphone, keylog, exfiltrate messages, browsing history, passwords, locations, and much more, it has also been seen attempting to escalate its privileges by installing a vulnerable signed kernel driver (“HW.sys”) containing a third zero-day exploit. The Hacker News
→ A ransomware command and control network based in Russia has been discovered to have a foothold in at least one US network, according to researchers from attack surface management firm Censys. Censys’ director of federal applications, Matt Lembright, stated that in late June, he was scanning millions of hosts in Russia when he discovered two hosts containing a Rapid7 exploitation tool, Metasploit, and a command and control (C2) tool called Deimos C2. One of these hosts was also in possession of the PoshC2 tool. Following further investigation, Lembright discovered that the hosts were linked to both the MedusaLocker and the Karma ransomware. “Censys located a host in Ohio also possessing the Deimos C2 tool discovered on the initial Russian host and, leveraging historical analysis, discovered that the Ohio host possessed a malware package with software similarities to the Russian ransomware hosts possessing PoshC2 mentioned above, in October 2021,” Lembright stated, noting that the host in Ohio had ties to the Karma ransomware. It was also noted that the discovery was particularly novel because most ransomware incidents are discovered after an attack, and this was the rare instance of researchers finding evidence of groups setting the stage for an attack. Two of the hosts discovered to have malware and two other hosts connected to Bitcoin allowed the group to infect and exploit a victim via ransomware and then a method to be paid. Ransomware groups can’t launch attacks from Russian infrastructure, so they typically compromise hosts in the US to get around this, according to the ransomware expert. The firm was able to link the hosts to MedusaLocker in part because of a CISA report released a few weeks ago that highlighted the ransomware group and provided email addresses, IP addresses, and TOR addresses used by the group. The Record
Analyst Comment: This research confirms some previously observed trends. It is worth noting that ransomware affiliates may not be able to launch attacks from Russia because they will likely be blocked, but attackers typically use some sort of proxy to hide their involvement in the attack, as stated in the article.
CRITICAL INFRASTRUCTURE
→ Recent events highlight the volatility and unpredictability of the energy and utility sector. The energy sector experienced rapid digital transformation during the pandemic as companies sought to maintain operations at a time of social distancing. This came as innovations were already underway to reduce emissions and maximize efficiency within the sector. Digitalization and remote work have thus expanded the attack surface providing more opportunities for exploitation by cybercriminals, creating new challenges for security teams. Separately, the situation in Ukraine has presented concerns for governments as well as putting the world’s cyber defense authorities on high alert. In April, Western governments jointly warned about the potential threat of increased malicious cyber activity by Russia against critical infrastructure in response to sanctions imposed as punishment for its invasion of Ukraine. The energy sector is characterized by complexities that make shoring up its cyber defenses challenging, particularly in industrial environments where equipment and means of production are expected to last several decades, making rapid upgrades or changes difficult to implement. A recent Cyber Readiness Report found that 94% of government agencies and critical infrastructure providers around the world report challenges in implementing endpoint detection and response, extended detection and response, multi factor authentication, and zero-trust technologies. Moreover, less than a third (29%) of critical infrastructure companies have zero-trust architecture, and only 37% have fully deployed multifactor authentication. Power Mag
Analyst Comment: The energy sector in particular is victim to increased volatility. In addition to the challenges listed in the article, supply strain and the dynamics at play with the Russian invasion of Ukraine have put the sector at risk in Europe. Ukraine’s energy sector has been targeted by Russian APT groups multiple times. As Fall and Winter approach and more strain is placed on the energy infrastructure, the sector will remain a prominent target for cyber attacks going forward.
→ The Transportation Security Administration on Thursday, July 21, unveiled revised cybersecurity directives for oil and natural gas pipelines. Rumors of the changes leaked last month with many criticizing the original directives released in July 2021 following the ransomware attack on Colonial Pipeline that May. The first directive forced owners and operators of critical pipelines to report cybersecurity incidents, designate a cybersecurity coordinator, and conduct vulnerability assessments. According to the TSA, the newly revised directive was developed with input from industry stakeholders and federal partners like CISA. The reissued directive extends the cybersecurity requirements for another year, and according to TSA “focuses on performance-based – rather than prescriptive – measures to achieve critical cybersecurity outcomes.” Duncan Greatwood, CEO of cybersecurity firm Xage, noted that TSA is doubling down in some areas, such as access control and credential management for critical infrastructure systems, while relaxing some rules in other areas, such as lead times for incident reporting. The Record
WATER
→ The Narragansett Bay Commission, which runs sewer systems in parts of the metropolitan Providence and Blackstone Valley areas, was hit by a ransomware attack. A spokeswoman for the commission acknowledged the attack in an email on July 15 to The Providence Journal. “Last week, the Narragansett Bay Commission identified a cybersecurity incident that involved the encryption of data on certain computers and systems in its network,” spokeswoman Jamie R. Samons said in the email. While she did not specify a ransomware attack, such attacks typically involve hackers encrypting data on a victim’s computer system and refusing to supply the key to decode the data until a ransom is paid. Samons noted the systems hit by the attack do not control the operation of the sewage system. It was unclear whether customer information was taken during the attack. As a result of the attack, the Narragansett Bay Commission paid a $250k ransom to bring its systems back online. The Providence Journal
Analyst Comment: In May, US cybersecurity experts warned that the water and wastewater sectors were the most vulnerable to cyberattacks. According to recent LookingGlass research, critical infrastructure at the local level has been a target of cyberattacks in the past few months. Upon closer examination of a wide range of IP addresses in the sector, LookingGlass found that a single corporation hosted many water utilities at the municipal, village, and rural levels. This poses a likely centralized risk to the attack surface because if one domain has a vulnerability or exposure, it will be present in hundreds of other domains as well. Additionally, many water companies also provide power services, and could therefore pose potential cascading risks to other sectors in the event of a security incident. LookingGlass is continuing research in this area and will publish our findings in the coming weeks.
FINANCE
→ Despite the ongoing shift to multi-factor authentication (MFA), the financial sector still faces a significant problem when it comes to breaches related to identification compromise, according to a recent research report. The report was based on interviews with 500 IT security decision-makers in the financial sector based in the US, UK, France and Germany. The authentication in financial services study discovered that US and European financial institutions experienced an average of 3.4 significant breaches in the previous year, costing these banks, credit unions, and investment firms an average of $2.19M in losses and remediation (which does not account for “intangible and hidden costs”). The report also discovered that 80% of these breaches were caused by a “weakness in authentication.” According to the study, financial firms have become too “complacent” about authentication practices in the face of an exponential rise (in some cases) in cyberattacks and a rising level of sophistication from cybercriminals. 85% of financial organization respondents experienced a cyber breach in the previous 12 months. Multiple breaches occurred in 72% of cases within the same timeframe. Despite this, 90% of the breached enterprises maintain that their current authentication method is secure, “despite data proving otherwise.” The report’s other major findings include: 36% of respondents reporting phishing as the “most prevalent type of attack,” followed by malware and credential stuffing, which each accounted for 31% of breaches; and push notification attacks, which accounted for 29%. Nearly one-third of these organizations “lost customers to competitors,” while 29% lost at least one employee and 26% lost customer data after a data breach, according to the study. 89% of the decision-makers said that they “believe that passwordless MFA offers the highest level of authentication security.” SC Magazine
Analyst Comment: Traditional forms of MFA, such as sending a one-time password via a text message can be bypassed by attackers. However, such MFA methods are commonly used by financial services providers. Financial organizations are also a common target of cyber criminals, especially those who are financially motivated, making the implementation of more advanced MFA methods by the financial services industry even more important.
→ Hackers are increasingly targeting financial firms such as banks and trading houses with cyberattacks designed to use their computer systems to mine cryptocurrencies, according to cybersecurity firm SonicWall. Cryptojacking attacks on financial institutions more than tripled in the first half of the year, according to the report. The overall number of such events increased by 30% to 66.7M. The financial industry was targeted five times more than retail, the second-most targeted sector. As more financial institutions migrate their applications to cloud-based systems, hackers are spreading malware across corporate servers and other devices or hijacking Wi-Fi networks to gain access. Part of the overall rise in cryptojacking is due to governments cracking down on ransomware attacks, which has caused some cybercriminals to switch methods, according to the report. However, the report did note some promising signs. The number of cryptojacking attacks fell by more than 50% in Q2, to 21.6M, compared to Q1. This trend follows a typical seasonal pattern in which attacks slow in Q2 and Q3 before picking up in Q4 of the year, the report stated. Bloomberg
Analyst Comment: Financially motivated threat actors typically get involved in the most lucrative, but lower-risk types of cybercrime. With the amount of attention from the media, law enforcement, and national governments that ransomware gangs have attracted in recent years, it is a logical step for some cybercriminals to transition to a lower-risk type of cybercrime. Unlike victims of ransomware attacks, cryptojacking victims are often unaware that their computers or networks have been compromised. Along with seasonal trends, the recent drop in cryptojacking attacks coincides with the crypto market’s crash, making it likely that the volume of attacks could increase as cryptocurrency markets show signs of recovery.
HEALTHCARE
→ Web applications such as patient portals, telehealth services, and online pharmacies can become entry points for computer network attacks against physicians and health systems, according to federal experts. The warnings and potential security upgrades were issued by the US Department of Health and Human Services (HHS) in its latest threat brief, “Web Application Attacks in Healthcare.” The HHS Office of Information Security and the Health Sector Cybersecurity Coordination Center (HC3) provide guidance. According to HC3, which cited Verizon’s 2022 Data Breach Investigations Report, web apps were the main vector in cyberattacks against the healthcare sector in 2021, with 849 incidents, including 571 with confirmed data disclosure. An example is a January incident in which a ransomware attack on a human resources and payroll vendor disrupted paychecks for a system’s healthcare workforce. A ransomware attack brought down a California hospital system’s patient portal in May 2021. Medical Economics
Analyst Comment: Medical devices, systems, and IOT used in the healthcare industry expand the sector’s attack surface, providing more entry points for unauthorized access to sensitive data. Web applications in particular are often targeted by threat actors because they can be relatively easy to reach without using sophisticated tools. Web applications can also be vulnerable to exploits targeting third-party platforms or components (the Log4j vulnerability is one of the known recent examples). Web applications also allow attackers to target a large audience by targeting those used by multiple organizations.
→ The Covid-19 pandemic has demonstrated that healthcare is a critical component of every country’s infrastructure and that protecting it from cyberattacks is in the best interests of governments, according to a cybersecurity executive. Because cyber insurance providers are private companies, the government finds it difficult to regulate the premiums they charge, according to Wes Wright, CTO at Imprivata. They can, however, make accommodations to offset the rising costs of this insurance if certain conditions are met. The healthcare industry will continue to lag in cybersecurity unless it receives guidance and financial assistance in the form of standards, funding, or other incentives such as tax breaks, according to cybersecurity experts. Government subsidies would take the form of credits to healthcare providers or sliding remuneration to encourage increased investment in technology and human capital. The government could grant preferred vendor status to insurers that collaborate with providers to scale and maintain security. Whatever the case, one thing is certain: any subsidy must require proof that basic cybersecurity controls are in place, according to Mr. Wright. Without such a requirement, insurance companies benefit rather than healthcare organizations or patients. As the demand for telemedicine grows, patients and their health information, as well as the healthcare systems that serve them, will be more vulnerable to cyberattacks. All of this increases the risk of threat actors targeting that data and disrupting potentially life-saving processes. Allowing a discussion among government officials to take place will shed light on the disparities between healthcare systems, revealing how unprepared some are to deal with cyberattacks. Forbes
→ The National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for the healthcare industry to assist healthcare organizations in protecting patients’ personal health information. The guide is intended to assist in complying with the Federal Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which requires the protection of sensitive health data. The Security Rule is a component of HIPAA that focuses on protecting electronically protected health information that a healthcare organization creates, receives, maintains, or transmits. The guidance mapped all of the HIPAA Security Rule elements to Cybersecurity Framework subcategories. It emphasizes the guidance’s risk management component, including integrating enterprise risk management concepts, according to a NIST cybersecurity specialist. The guidance comes as the US Department of Health and Human Services reports an increase in cyberattacks on healthcare systems. MeriTalk
GOVERNANCE
USG
→ On Monday, July 25, the White House announced the hiring of a former Google executive to the Office of the National Cyber Director, where she will focus on improving and developing the nation’s cyber ecosystem. Camille Stewart Gloster, who begins her new position on August 1, will be the deputy national cyber director for technology and ecosystem security. “[Stewart Gloster] is a pioneer who has led on cyber issues for more than a decade at the highest levels of government and industry,” National Cyber Director Chris Inglis said in a statement. Gloster was previously responsible for Google’s global product security strategy. She also worked as a senior cyber policy adviser at DHS during the Obama administration. Her appointment comes on the heels of last week’s White House Cyber Workforce and Education Summit, at which participants, including Inglis, pledged to increase diversity in the cyber field and develop a national cyber workforce and education strategy. The Hill
GEOPOLITICS
→ On his trip to the Middle East last week, President Biden pledged to expand cyber cooperation with Israel and Saudi Arabia, a move that experts see as a direct response to Iran’s rising digital threat. The US and Saudi Arabia signed bilateral agreements to strengthen their cybersecurity partnership and share information about cyber threats and malicious actors, while Israel and the United States agreed to increase collaboration to combat cybercrime. The shared adversary of Iran provides an opportunity for the US to strengthen alliances between the two Middle Eastern countries, which have been in secret talks to possibly establish official relations, according to a researcher. The Hill
LAW & DATA PRIVACY
→ TikTok, the popular social media app owned by China-based ByteDance, appears to have confirmed reports from earlier this month that its Chinese employees had access to its US users’ personal data, according to an FCC commissioner. Brendan Carr, a Republican Commissioner at the Federal Communications Commission (FCC), shared a TikTok email to US congressional staff about “minimizing” data transfers to China. The print screen of the email shows TikTok’s message on “Keeping US user data secure,” in which the platform says it has created a data security division that is looking into “minimizing” user data transfers across regions, including to China. TikTok misled US officials and platform users by claiming that data is stored in the US and cannot be accessed by employees in China, according to audio tapes from over 80 internal TikTok meetings at ByteDance. Furthermore, ByteDance spent a record $2.14M on lobbying during Q2 to combat escalating congressional attacks on its privacy and security practices. TikTok’s lobbying spending increased nearly 130% from the Q1, indicating that the company’s government affairs operation is refocusing on Congress after a hiatus. The company spent $1.84M in the Q2 of this year, up 16.3% from the same period last year.
Risky Biz Cybernews Bloomberg Twitter
Analyst Comment: TikTok routinely comes under scrutiny in multiple countries skirting data privacy concerns and obfuscating oversight efforts. As with other Chinese companies, a straight line can be drawn between TikTok’s parent company, ByteDance, and the Chinese government, making it likely that user data is being leveraged by the Chinese government. TikTok has an active user base of over 138M users in the US, representing a large pool of data to be collected and exploited by the Chinese government.
→ A bill introduced Wednesday, July 20, by the House Intelligence Committee would block US buyers from purchasing foreign spyware. The bill follows media reports that Israeli spyware maker NSO was to be acquired by US defense contractor L3Harris. Calling the proliferation of foreign-made commercial spyware “an acute and emergent threat to the national security of the United States,” the bill would empower the US Director of National Intelligence to bar any contract between such spyware manufacturers and the intelligence community. It would also authorize the White House to sanction them if they target US spies. In a statement, the White House said it shared lawmakers’ concerns that tools made by NSO posed “a serious counterintelligence and security risk to US personnel and systems” and was working on its own ban on the US government’s use of foreign spyware that had been misused abroad. Last year, Reuters revealed that State Department phones had been hacked using NSO spyware. Only a few weeks earlier, NSO was added to the US Entity List by the US Department of Commerce. Reuters
→ Big Tech companies agreed on Monday, July 25, to reduce harmful online content in New Zealand, a move that critics said dodged the alternative of government regulation. Meta, Google, TikTok, Amazon, and Twitter signed a code of practice, according to Netsafe, a government-funded internet-safety group. The companies would follow the code – called the Aotearoa New Zealand Code of Practice for Online Safety and Harms – as self-regulation, Netsafe chief Brent Carey said in a statement. Industry lobby group NZTech will be responsible for the companies meeting obligations, which include reducing harmful content online, reporting their methods for reducing such content, and supporting the independent evaluation of results. Interest groups want more detail, for example, about sanctions for any failure by the companies to comply and about a mechanism for public complaints. They also point to the pact being administered by an industry body, not the government. Reuters
→ On Tuesday, July 27, Russia’s competition watchdog fined Google $34.2M for using its dominant position in the video hosting market, the regulator said in a statement. The decision is the latest multi-million dollar fine imposed by Moscow as part of its increasingly assertive campaign against foreign tech firms. The Federal Antimonopoly Service (FAS) stated that the company had “abused its dominant position in the YouTube video hosting services market,” but did not elaborate. Google must pay the fine within two months of it taking effect, according to the FAS. Reuters
Analyst Comment: Google has been hit with over $380M in fines. Google is one of the few Big Tech companies that has not been blocked in Russia. However, the Russian government appears likely to increase pressure on the company. At the same time, Google has recently been banned in occupied Ukrainian territories of Luhansk and Donetsk regions. In early July, Instagram and Viber were also banned alongside Google in the occupied Kherson region.
