Articles

Biden administration, US allies condemn China’s malicious hacking, espionage…

Global coalition calls on China to curtail its cyber activities. For the first time, the US blames China directly for ransomware attacks.

Following a  push by the White House to address the ransomware crisis emanating from Russia and the imposition of sanctions on Russia for its spree of malicious cyber actions, the Biden administration has launched a multi-part strategy to shame another digital security adversary, China, into halting its digital malfeasance.

First, the administration formally accused China of breaching Microsoft’s Exchange email servers to implant what most experts consider reckless and damaging surveillance malware. Although Microsoft has long attributed that incident to a Chinese hacking group it calls HAFNIUM, the White House has now finally and officially acknowledged China’s role in that supply chain attack.

In a statement, the White House said it is attributing “with a high degree of confidence that malicious cyber actors affiliated with PRC’s MSS conducted cyber-espionage operations utilizing the zero-day vulnerabilities in Microsoft Exchange Server disclosed in early March 2021.”

Secretary of State Anthony Blinken said in a statement that “the United States government, alongside our allies and partners, has formally confirmed that cyber actors affiliated with the MSS exploited vulnerabilities in Microsoft Exchange Server in a massive cyber-espionage operation that indiscriminately compromised thousands of computers and networks, mostly belonging to private sector victims.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Nick Fewings on Unsplash

Articles

Biden Administration announces flurry of new anti-ransomware efforts

The defensive initiatives include a reward for information on nation-state actors and the formation of a new interagency ransomware task force.

Under pressure to halt ongoing and highly damaging ransomware attacks from Russian criminal groups, the Biden administration yesterday announced a flurry of defensive initiatives to deal with the crisis. These announcements come one week after President Biden issued a stark warning to Russian President Vladimir Putin to deal with the ransomware threat groups in his country or else the US will take action to dismantle the threat.

First, the State Department announced that its Rewards for Justice program, which the Diplomatic Security Service administers, will give a $10 million reward to anyone offering information that leads to identifying state-sponsored threat actors. Specifically, rewards will be given to those who supply information that leads to the “identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).”

The Rewards for Justice (RFJ) program has set up a Tor-based dark web reporting site to protect the safety and security of potential sources. Additionally, the RFJ program works with interagency partners to enable the rapid processing of information and the possible relocation of and payment to sources.

Second, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) announced it would convene a FinCEN Exchange in August 2021 focused on ransomware concerns. The Exchange will be composed of financial institutions, other key industry stakeholders, and federal government agencies. The goal of the meeting is to inform FinCEN’s next steps in addressing ransomware payments.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

NIST’s EO-mandated software security guidelines could be a game-changer

While experts applaud the new security guidance, it’s unclear whether software vendors will completely embrace and implement the needed security practices.

Following a string of high-profile supply chain hacks, President Biden’s wide-ranging executive order on cybersecurity (EO) issued on May 12 directed the National Institute of Standards and Technology (NIST) to produce guidance on a series of software security matters. First, the EO asked NIST to produce a definition of critical software, which it released at the end of June. Second, the EO directed NIST to publish guidance on security measures for EO-critical software use, which NIST released last Friday.

To tackle the complex issue of keeping software secure, NIST solicited papers from interested parties and held a two-day workshop to gain insight from industry and other experts.  NIST defined five objectives for the operational-only (not covering development and acquisition matters) security measures:

  1. Protect EO-critical software and EO-critical software platforms (the platforms on which EO-critical software runs, such as endpoints, servers, and cloud resources) from unauthorized access and usage. Measures here include use of multi-factor authentication, following privileged access management principles, and employing boundary protection techniques.
  2. Protect the confidentiality, integrity, and availability of data used by EO-critical software and EO-critical software platforms. Measures here include maintaining a data inventory, protecting data at rest and in transit, and back up data with a tested recovery plan.
  3. Identify and maintain EO-critical software platforms and the software deployed to those platforms to protect the EO-critical software from exploitation. Measures here include maintaining a software inventory, have a patch management plan, and use configuration management practices.
  4. Quickly detect, respond to, and recover from threats and incidents involving EO-critical software and EO-critical software platforms. Measures here include recording necessary logging information, continuous security monitoring, and using endpoint and network security protection.
  5. Strengthen the understanding and performance of humans’ actions that foster the security of EO-critical software and EO-critical software platforms. Measures here include training all users and administrators of EO-critical software and conducting frequent awareness activities.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Fotis Fotopoulos on Unsplash

 

Articles

Ransomware talks: How Biden could push Putin to the…

Under pressure to end the ransomware scourge, the White House faces strong headwinds. The problem: Putin has no motivation to change the status quo.

As the United States comes out of yet another major attack by a Russian ransomware gang, this one leveled at Florida-based software provider Kaseya by the REvil threat group, the administration is ramping up its rhetoric about holding Russia responsible for the criminal actions taking place within its borders. During a recent press briefing White House press secretary Jen Psaki said that a “high level” of U.S. national security has been in touch with top Russian officials about the Kaseya attack. She also said that another ransomware-focused meeting between the two countries is scheduled for next week.

Psaki also passed on a warning to Russia. “As the president made clear to President Putin , if the Russian government cannot or will not take action against criminal actors residing in Russia, we will reserve the right to take action on our own.”

The next day, Biden called together his top advisors, including key players from the Department of Justice and the Department of Homeland Security, for a ransomware strategy session in the White House Situation Room. It’s not clear yet what the brainstorming produced, but the pressure is on the administration to end the ransomware scourge.

Crowdstrike co-founder and former CTO Dmitri Alperovitch and Russia expert and Director of the Wilson Center’s Kennan Institute Matthew Rojansky penned an op-ed urging Biden to give Russian President Vladimir Putin an ultimatum on ransomware. “If Putin chose to take the problem seriously, as Biden demands, Russian security officials could quickly identify and interdict the attackers and force them to unlock the data to stop the damage to businesses worldwide, including in the United States,” they wrote.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Artem Beliaikin on Unsplash

 

Articles

Proposed bill would create a new federal agency to…

The Data Protection Act of 2021 has wide-ranging definitions of high-risk data practices and privacy harm.

n mid-June, Senator Kirsten Gillibrand (D-NY) reintroduced a new version of her bill, the Data Protection Act of 2021, that would create a new independent, executive-level government agency, the Data Protection Agency (DPA). The DPA would “protect Americans’ data, safeguard their privacy, and ensure data practices are fair and transparent.”

Under the bill, the DPA would have the authority and resources to enforce any data protection rules created by Congress or the agency itself, backed by a range of enforcement tools, including civil penalties, injunctive relief, and equitable remedies. In addition to creating privacy rules and enforcing federal-level rules, the DPA would reach out to organizations to promote data protection and encourage the adoption of model privacy and data protection standards, guidelines and policies.

The new bill, which features substantial changes to Gillibrand’s original 2020 legislation, spells out DPA’s three core missions:

  1. Authorize DPA to create and enforce data protection rules to give Americans more control and protection over their data by regulating high-risk data practices and personal data collection.
  2. Foster innovation by ensuring fair competition within the digital marketplace by having DPA’s research unit analyze and report on data protection and privacy innovation across sectors. The research unit would also develop the model privacy and data protection templates.
  3. Prepare the American government for the digital age by advising Congress on emerging privacy and tech issues while coordinating with Federal agencies and State regulators to promote consistent regulatory treatment of personal data.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

NIST defines “critical software” with a broad range of…

The goal is to enable stronger security practices for government-purchased software mandated by President Biden’s cybersecurity executive order.

A significant part of the Biden administration’s wide-ranging cybersecurity executive order (EO) mandates that the National Institute of Standards and Technology (NIST) define what constitutes “critical software,” a deliverable that is central to the wider effort of securing software supply chains. Last week NIST made good on this assignment when it released a preliminary list of software categories within the scope of this definition.

The EO stipulates that NIST’s definition “shall reflect the level of privilege or access required to function, integration and dependencies with other software, direct access to networking and computing resources, performance of a function critical to trust, and potential for harm if compromised.” Thus, the goal of the definition is to drive several additional activities required under the EO to shape how the federal government purchases and manages deployed critical software.

One driving principle behind the critical software definition is that when combined with other aspects of the EO, software acquisition by the federal government would tilt over time toward only those products that have met reasonable security measures. The hope is that the federal government’s “power of the purse” would spill over to the private sector because most major software suppliers sell to both public and private sector customers and would find it more efficient to create a single secure product for both sectors.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

Four states propose laws to ban ransomware payments

Some state legislatures are debating bills that could limit or ban ransom payments. A better option, experts say, is mandatory reporting of ransomware attacks.

Following the epic ransomware attacks on Colonial Pipeline and top meat producer JBS, some government officials have called on Congress and the administration to ban organizations from making ransom payments to threat actors. The goal of such a ban would be to codify the FBI’s current advice: Don’t pay ransomware attackers lest you encourage more of the same.

Despite some support at the federal level, most administration officials don’t seem to embrace the idea of an outright ban fully. “Typically, that is a private-sector decision, and the administration has not offered further advice at this time,” Anne Neuberger, deputy national security adviser for cybersecurity, told reporters at a White House press briefing in May. No member of Congress or the Senate has yet introduced legislation banning ransom payments.

But the picture is different at the state level. So far, four states have five pending pieces of legislation that would either ban paying a ransom or substantially restrict paying it. In New York, Senate Bill S6806A “prohibits governmental entities, business entities, and health care entities from paying a ransom in the event of a cyber incident or a cyber ransom or ransomware attack.”

Another New York Senate bill, Senate Bill S6154, provides money so that local governments can upgrade their networks. But it also “restricts the use of taxpayer money in paying ransoms in response to ransomware attacks.”

New York stands alone in terms of barring private sector businesses from paying a ransom. Legislatures in North Carolina (House Bill 813), Pennsylvania (Senate Bill 726), and Texas (House Bill 3892) are all considering bills that would prohibit the use of state and local taxpayer money or other public money to pay a ransom payment. This public money prohibition would likely hamstring local governments from paying off ransomware attackers.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

Government-mandated SBOMs to throw light on software supply chain…

The US government will soon require vendors to provide a software bill of materials to help ensure integrity of an application’s components.

President Biden’s executive order (EO) on cybersecurity, released on May 12, is a sprawling and comprehensive document that aims to redress weaknesses in the digital security ecosystem. It is peppered with nearly 50 actions that the federal government must take within extraordinarily tight timeframes, signaling the urgency of the cybersecurity crisis the country faces.

Several parts of the EO seek to shore up software security. This long-overlooked and arcane topic has taken on new urgency following the SolarWinds and Microsoft Exchange software supply chain hacks.

The first software security deadline in the EO, assigned primarily to the Commerce Department’s National Institute of Standards and Technology (NIST), is to publish a definition of what constitutes “critical software,” which in turn will trigger actions by other government agencies. NIST’s deadline for producing this definition is June 26, which is why the agency held a quickly organized workshop on June 2 and 3 attended by around a thousand interested parties.

Fifteen days after the release of NIST’s definition of critical software, another arm of the Commerce Department, the National Telecommunications and Information Administration (NTIA), will publish “minimum elements” of something that has been evolving over the past several years in the cybersecurity realm, a software bill of materials, or SBOM.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

US Congress tees up ambitious cybersecurity agenda in the…

Roughly 115 cybersecurity-related bills are working their way through the legislative process, in many cases with bipartisan support.

The Biden Administration has been thrown into a thicket of cybersecurity troubles in its first six months, forcing the White House to issue complex cybersecurity executive orders, directives and policy changes in rapid succession. Congress, meanwhile, is teeing up an ambitious cybersecurity agenda of its own, sparking hopes that the recent spate of cybersecurity crises might break through the partisan logjam that has increasingly blocked meaningful legislative action.

Last week, Senator Majority Leader Chuck Schumer (D-NY) initiated a review of recent high-profile ransomware attacks in the run-up to new legislation. Then, Chairman Gary Peters (D-MI) and Rob Portman (R-OH), chair and ranking member of the Senate Homeland Security Committee sent a letter to national security adviser Jake Sullivan and Shalanda Young, the acting director of the Office of Management and Budget, asking the two officials to spell out within 30 days the legal authorities they think federal agencies need to combat ransomware attacks. Their responses could serve as the basis for new legislation to rein in ransomware.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

Feds seize $2.3 million in cryptocurrency wallet reportedly used…

The successful seizure could encourage other victims to better cooperate with federal agencies and cause ransomware gangs to rethink their operations.

The Justice Department announced yesterday that it had seized 63.7 bitcoins currently valued at approximately $2.3 million that allegedly represents some portion of a May 8 payment by the Colonial Pipeline company to DarkSide ransomware attackers. Colonial Pipeline admitted paying the cybercriminals a total ransom of around $4.4 million in bitcoin to restore full functionality to its systems following the crippling ransomware attack announced by the company on May 7.

The Special Prosecutions Section and Asset Forfeiture Unit of the US Attorney’s Office for the Northern District of California seized the bitcoin wallet after a magistrate judge for the Northern District of California authorized a seizure warrant. News of the wallet seizure came as little surprise given that the DarkSide attackers themselves foreshadowed it when they announced in mid-May that the group lost control over some of its servers, including a payment server, and was shutting down due to “pressure” from the United States. At that time, DarkSide also stated that some of its funds had been withdrawn to an unknown account.

This article appeared in CSO Online. To read the rest of the article please visit here.