NewsBites Volume XXII - Issue #78 October 2, 2020

Top of the News

2020-10-01

US Treasury Advisory: Sanction Risks for Paying Ransomware Operators

According to a recent advisory from the US Treasury Department's Office of Foreign Assets Control, organizations that pay ransomware demands to certain groups could be fined if the recipients of the payments are under economic sanctions. The rule applies not only to the organizations that suffer the attacks, but also to the third-party companies they bring in to help manage the problem.

Editor's Note

This is a very big deal. It can give you the justification at the most senior levels of your organization to implement the CIS Critical Security Controls this year.

Alan Paller

OFAC rules and consequences around foreign transactions to sanctioned entities can be substantial. Develop a risk-based approach to support the payment decision now, as John enumerates, before it is needed, including consideration of sensitive data being released. Additionally, include reporting and cooperation with law enforcement in your response plan as this can mitigate the weight of any OFAC enforcement outcome.

Lee Neely

This is consistent with the FBI's updated guidance on dealing with ransomware, which came out in Oct 2019: "... the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement." The reminder that payments to sanctioned entities may incur fines was added here. However, the Treasury advisory still says "...OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations," and points to a May 2019 compliance framework requiring demonstration of (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training - essentially security hygiene: Bottom line: prevention of ransomware will always end up costing less than incurring or paying off successful attacks.

John Pescatore

Ransomware attacks must be resisted, not merely mitigated. They constitute a risk that must be reduced, not simply assigned to underwriters.

William Hugh Murray

Universal Health Services Still Working on Restoring Systems After Ransomware Attack

As of Thursday, October 1, Universal Health Services (UHS) is still "work[ing] through an IT network security issue caused my malware." The attack began over the weekend; UHS shut down its network to prevent the malware from spreading further. While UHS has facilities in the UK and the US, the issue affects only US facilities.

Editor's Note

Hospitals are faced with challenging usability/security trade-offs, which include bearing the cost of security mitigations. Doctors and care givers don't want emergency care inhibited by an inability to login to a computer and order services rapidly. They need access to hundreds of hospital systems. Proximity cards coupled with added authentication to sensitive services are becoming more common, and the retrofit, both funding and implementing, without creating service disruptions is a huge challenge. Consider UHS's cost to recover, including loss of life of redirected patients, as an example when considering the ROI of increased security measures.

Lee Neely

Lawrence General Hospital Investigating "Data Security Incident"

Lawrence General Hospital (LGH) in Massachusetts is working with a third-party forensic organization to investigate a "data security incident" that took place in mid-September. During the incident, LGH took its systems offline to secure its data. The hospital was able to continue to care for patients, but those arriving by ambulance were diverted to other facilities for approximately 36 hours.

Editor's Note

Critical systems, e.g., patient care systems, should be isolated from vulnerable systems running e-mail and browsers. That said, the report suggests that the hospital had plans in place to maintain critical care in the face of a breach. "A plan is a capability, the ability to do something in its presence that one cannot do in its absence. It is not a document that one takes out and reads while sitting in the ashes." -Robert H. Courtney, Jr.

William Hugh Murray

The Rest of the Week's News

2020-10-01

Pakistani Power Company Data Published Following Ransomware Attack

Ransomware operators have published data stolen from Pakistan's K-Electric power company. K-Electric suffered a ransomware attack last month and did not pay the $3.85 million demanded as ransom. The September 7th attack disrupted the company's billing services but did not interrupt power supply.

Editor's Note

Systems must be breached before "Ransomware" can be used. Extortion is only one possible consequence of such breaches. The most efficient strategy is to resist the breach, to raise the cost of attack to the point that it removes one from the target population. "One does not need to outrun the bear."

William Hugh Murray

Swatch Group Acknowledges Cyberattack

Swatch Group, the Swiss company that makes the eponymous watches, says that its network was hit with a cyberattack over the weekend. Once the company detected the attack, it shut down IT systems to prevent further damage. Swatch group did not provide details about the nature of the attack.

Nikulin Sentenced

A judge in California has sentenced Yevgeniy Nikulin to more than seven years in prison for his role in hacking into and stealing data from LinkedIn, Dropbox, and Formspring. He will be credited for time served following his arrest.

North Korean Hackers Targeted UN Security Council Members in Phishing Attacks

According to a report from the United Nations (UN), a hacking group with alleged ties to North Korea's government has been launching phishing attacks against UN Security Council members earlier this year. At least 28 individuals have been targeted.

US 911 Emergency System Outage

An outage affecting the 911 emergency system availability in more than a dozen US states on Monday, September 28 appears not to be related to a Microsoft outage the same day, as some had speculated. Instead, the issues are likely due to an issue with Intrado, a company that provides 911 and emergency communications infrastructure, systems, and services or with Lumen, its service provider.

Editor's Note

I remember not having time to patch, and not wanting to update a fully functioning server or service because it was working perfectly. Today, patching and monitoring security settings is a mortgage that must be borne with insourced services, and is a cost which may be overlooked when considering outsourcing ROI. It may be helpful to have policies around patch application and security setting validation, so staff know what is required and that these actions are important to management as well.

Lee Neely

Unpatched Exchange Servers

Nearly 250,000 Internet-facing Microsoft Exchange Servers remain unpatched against a critical remote code execution flaw in the Exchange Control Panel component. Microsoft released a fix for the issue nearly eight months ago. In March, the US Cybersecurity and Infrastructure Security Agency (CISA) and the NSA both urged organizations to patch the vulnerability as it was already being exploited in the wild.

Editor's Note

Poor quality in popular products puts the entire infrastructure at risk. Tens of thousands of instances are likely to go unpatched. Enterprises large enough to be running an Exchange Server should have a planned and routine program for patching, but such programs are unlikely to ever be universal.

William Hugh Murray

Zerologon Attacks Spike

Cisco Talos has noted a significant increase in attempts to exploit the Zerologon vulnerability. The privilege elevation flaw can be exploited to take control of Active Directory identity services. Microsoft has released updated instructions for patching the vulnerability.

Editor's Note

The Microsoft guidance below makes the update and mitigation process easier to follow. If you are using Windows Server 2008 R2 SP1, you need an Extended Security Update (ESU) license to successfully install any update that addresses this issue. Better still, replace these with Server 2016 or higher, which will also give you access to updated security and user management options in Active Directory.

Lee Neely

QNAP Warns of AgeLocker Ransomware Targeting its NAS Devices

An advisory from QNAP warns of ransomware attacks targeting its network attached storage (NAS) devices. Dubbed AgeLocker, the ransomware exploits a vulnerability in older versions of the Photo Station app. The advisory includes update instructions to secure vulnerable devices.

Editor's Note

Storage devices should not be visible to the public networks. Who knew that they were running "older versions of the Photo Station app," much less that they posed a vulnerability to the enterprise? Patching is necessary but not sufficient. One should consider removing or hiding potentially vulnerable, but not mission critical, applications from the public networks.

William Hugh Murray

Blackbaud SEC Filing Discloses That Breach Compromised Bank Account Data

Months after disclosing a ransomware attack that compromised data belonging to many clients, customer relationship management (CRM) software provider Blackbaud is now acknowledging that the attackers may have accessed more than just names and email addresses. Bank account information may have been compromised. The additional information came to light in an 8-K filing Blackbaud made with the US Securities and Exchange Commission (SEC) on September 29. The attack occurred in May. Blackbaud paid a ransom demand after the attackers said they destroyed the purloined data.

Editor's Note

Transparency and full disclosure is required. The question is, do you trust that the attackers really destroyed the purloined data? Rather than second guess the company's payment decision, or the destruction of the data, be proactive and keep your credit monitoring updated, including responding to any alerts sent.