Consortium Networks Monthly Newsletter: December

It is indeed the holiday season and this month's news has shown that. Check out Consortium Network's bird's eye view of the past month in cybersecurity and insight on a number of topics including tax scams around the holidays, the tumultuous time in crypto and what that means for ransomware, and women in cybersecurity.

Be sure to sign up for the newsletter here to join our mailing list so you never miss an edition.

The Most Scam-able Time of the Year

With the kids jingle belling and everyone telling you to be of good cheer, the winter holiday season is truly the most wonderful time of the year, unless you work in cybersecurity. 

Just like Santa and the elves, cybersecurity teams must be at the top of their game during the holidays. It doesn’t take much digging to figure out why: from Operation Aurora in 2009 to SolarWinds in 2020 to the 30% spike in ransomware activity around this season, workplaces are understaffed, distracted, and vulnerable.

While much of the increased attack surface is created from increased online shopping and a barrage of marketing emails with enticing links promising sales-of-your-dreams (and made worse by expanding bring-your-own-device policies), the end-of-year deadline for tax write-offs and charitable contributions provide an alternate and often more valuable route for their operations. 

A Ransomware Revolution?

Though cryptocurrencies have never been marketed as a stable investment, the recent turmoil across exchanges has led to significant speculation over the future of crypto and what that future may mean for cybersecurity.

Ransomware criminals receive payment via cryptocurrencies to avoid being traced and maintain anonymity. The US Ransomware Task Force said that the “explosion of ransomware as a lucrative criminal enterprise has been closely tied to the rise of Bitcoin and other cryptocurrencies, which use distributed ledgers, such as blockchain, to track transactions.” 

In analyzing data on the growth of cryptocurrencies and the increasing damages caused by ransomware attacks, the two line up well. In 2015, ransomware caused around $6.5 billion in damages. At the same time, crypto was negligible in its share of the market- practically nonexistent. In 2017, there is a significant jump in both, a trend that follows through today. 

It would be easy to think that ransomware and cryptocurrencies are linked looking at this. Ransomware predates crypto by over 20 years, but is its explosion because of the introduction of this new form of fairly untraceable payment or did the two happen to coincide? If the answer is the former, will the significant insecurity in the crypto market following massive heists, scandals, and overall griftiness impact the ransomware market?

Story Behind the Story

Consortium Networks is thrilled to relaunch its "Story Behind the Story" interview series featuring the stories of women in cybersecurity. This month, we are excited to release two interviews: one with Nastassia Tamari and one with Melissa K. Griffith.

Follow the links below to read their stories.

In the News

Announcements, Reports, and Other Quick Bites: As the end of the year approaches, there are bound to be a surplus of reports and other announcements in the United States and across the world. Here are some to be aware of:

• Ransomware costs in 2021 surpassed $1 billion, a 200% year over year increase according to the Department of the Treasury.
• Australia is considering government action to ban making ransomware payments following a number of large-scale ransom events in the country in the second half of this year in hopes of undermining the ransomware business model through regulation. Australia also announced a joint cyber police taskforce between the Australian Federal Police and the Australian Signals Directorate to “hunt down the scumbags who are responsible for these malicious crimes.”
• The EU Agency for Cybersecurity released its top 10 cybersecurity threats likely to emerge by 2030. Included are supply chain compromise of software dependencies, advanced disinformation campaigns, increased digital surveillance, human error and exploited legacy systems, increasingly targeted attacks through smart device data, space-based infrastructure, advanced hybrid threats, skill shortage, AI abuse, and cross border information communication technology (ICT) service providers.
• The Red Cross released an assessment of the risks, benefits, and possible solutions to the idea of a digital red cross emblem on the networks of humanitarian organizations. The idea is to deter hackers from accidentally stumbling upon and attacking these systems while also enforcing international norms in the digital space.
• The cyber insurance market is stabilizing after a period of turmoil thanks to ransomware that led to increasing deductibles, premiums, and restrictions in coverage. 
• A government watchdog said that the Department of Interior’s Bureau of Safety and Environmental Enforcement is not doing enough to address growing cybersecurity risks in the offshore oil and gas industry.
• Researchers found that, data gathered by Apple on user usage does collect personally identifiable information even though its privacy policy explicitly says it does not.
• Though many hoped the great dual-hat debate might finally come to a conclusion through the Biden administration’s evaluation of the leadership structure of CYBERCOM and the NSA, no formal recommendations were made. Thus, the op-eds must continue.
• CISA released its first-ever strategic plan this month, outlining the agency’s four key areas it wants to drive change over the next three years: spearhead the national cyber defense effort, reduce risks to and improve resilience of American critical infrastructure, strengthen whole-of-nation operational collaboration and information sharing, and unify CISA.
• CISA, NSA, and ODNI released guidance on securing the software supply chain for customers as the final part of a three-part series that previously covered developers and suppliers

Regulators, Regulations, and the Rest: The tech giants have had a busy month with Google, Apple, Meta, Twitter, and TikTok all getting wrapped up in regulatory issues:

• While the combustion of Twitter is an interesting story to watch from the sidelines on its own, the story we are tracking here is the FTC’s “deep concern” over security issues following the resignation of Twitter’s CISO and a large portion of its cybersecurity team. 
• Only a few days after the FCC’s remarks that the U.S. should ban the app, TikTok said that staff in China can access U.S. and European data. The app argues that this policy is “based on a demonstrated need to do their job,” though it continues to draw heavy scrutiny and suspicion around the world.
• Meta was fined $275 million for violating the EU’s GDPR after a data breach last year leaked 500 million users’ information. This fine, imposed by Ireland, brings the grand total that Meta has been fined in Europe over the last 15 months to over $900 million.
• Apple is being sued under California’s privacy laws over what the plaintiff alleges is a willful violation of user privacy and monetization of user data without permission. 
• Google will pay almost $400 million over deceptive location tracking practices in a settlement with 40 states following the 2018 revelations of its actions.

Cyber Operations: There were a number of high profile non-ransomware cyber operations this month across critical infrastructure sectors including transportation, communications, and government facilities around the world. 

The transportation sector was heavily impacted this month. In Denmark, trains came to a full stop for days early in the month after the Danish train operator DSB had to shut down following the attack of a subcontractor. Mexico has had to halt the issuing of new permits, license plates, and commercial drivers licenses after its servers were hacked though no other information was released. Unfortunately for all around the world driving increasingly smarter cars, researchers this month found bugs allowing remote access and control of several kinds of cars made after 2012. Luckily, many patches have been released, but reducing the vulnerability of these increasingly connected devices that we use daily should be at the forefront of innovation.

Within the communications sector, Radio Free Asia user data was breached in a hack that impacted almost 4,000 people. Vulnerable data included user addresses, driver’s license numbers, health insurance information, medical information, and financial information. In Iran, the Fars state news agency was hacked, likely as part of a hacktivism operation in retaliation for the state’s coverage of protests over the death of Mahsa Amini.

The government systems of Hungary and Guadelupe were victims of cyber attacks this month. In Hungary, the group claiming responsibility for the attack contacted a Hungarian news agency to explain its motives, saying that they wanted to show the state that they are protesting against the government with this attack but aren’t going to leak the data because they do not want to bring harm to individuals. Guadelupe was hit with an attack but was able to recover quickly thanks to a strong continuity plan.

Major Ransomware Events: This month saw less ransomware than other types of attacks, but a number of countries and industries were deeply impacted, especially over the holiday in the United States. 

• Schools: Schools and universities saw a number of ransomware events over the Thanksgiving holiday and throughout the month. A school district in Michigan had to close for three days following a ransomware attack that completely impeded their ability to function in mid-November. Cincinnati State College was taken down over Thanksgiving by the same group responsible for the major Los Angeles county ransomware in September. Guilford College, Centura College, North Idaho College, and North Carolina College were all also hit by ransomware attacks this month by a number of groups.
• Government Systems: A ransomware group targeting the municipality of Zwijndrecht, Belgium, accidentally wound up in the systems of the town’s police department instead, making this attack one of the biggest of its kind to hit a public service in Belgium. On the other side of the world, Vanuatu’s entire public service sector was taken offline by a ransomware attack, even forcing the hospitals to move to paper and pen systems to continue serving their patients. 
• Other Industries: Thales, a French weapons manufacturer, was hit by the LockBit 3.0 ransomware group in early November but reported no disruption to the organization’s operations. In Canada, the Sobeys supermarket and pharmacy chain was victim to a ransom attack and data breach by the Black Basta ransom gang. Finally, the data of 5 million Air Asia passengers and employees was leaked after a ransom attack in mid-November.
• Apps: An alarming trend that has emerged is the use of legitimate websites to spread malware. One example this month was the use of a popular TikTok challenge that encouraged users to pose naked behind a special filter. Hackers then claimed to have another “unfilter” that would remove the filter and expose the original video. Through this, hackers sent out malware to those attempting to use the “unfilter.” A second example from November is the new “AXLocker” ransomware family that not only demands a ransom payment from victims, but alo steals their Discord credentials.

On a positive note, in an interview with Politico, NSA Cyber Director Rob Joyce said that ransomware activity is back to the historical norm following its recent uptick.

Russia: A report was released this month from the Treasury Department saying that Russian hackers accounted for 75% of ransomware attacks in 2021, though it isn’t known how many of the attackers were working on behalf of the state. Russia has stayed in the cyber headlines this year as well, with Australia confirming that the massive Medibank hack was done by Russian hackers and with the discovery reported by Reuters that Russian software disguised as American made its way onto multiple government agency devices including the U.S. Army and the CDC. On the battlefield, Russia’s strategy against Ukraine has been incredibly aggressive and destructive and has primarily targeted “edge” devices like firewalls, routers, and email servers, according to analysts at Mandiant.

Policy and Politics

Domestic Policy

Focus on Space: The U.S. government appears to be reallocating attention toward space with the FCC launching a space bureau and CISA urging cyber leaders to treat space as a critical infrastructure. 

The FCC’s new bureau will work to address issues around satellite launches and space policy at large. The agency’s chair Jessica Rosenworcel noted that though the industry is growing rapidly, “regulatory frameworks… have not kept up.” 

CISA wrote to President Joe Biden and Congress that space and bioeconomy should be two new sectors of critical infrastructure. The agency argued that these two industries fit recommending criteria for critical infrastructure designations including the potential for disruption within various sectors of the US economy to cause debilitating impacts on society. Critical infrastructure sectors receive more resources and undergo greater regulatory scrutiny.

Government Platforms: In addition to September's announcement by the Department of the Treasury that it was seeking comment on what a state-structured cyber insurance program could look like, CISA announced this month that it is requesting information to assist in the development of cyber threat intelligence capabilities.

Tech Ban: As part of the continued decoupling efforts from Chinese technology, the FCC this month banned U.S. sales and imports of Huawei and ZTE equipment. According to commissioner Brendan Carr, the decision marks the first time the FCC has banned equipment based on national security concerns.

Moves in Transportation: The TSA issued an advanced notice of proposed rulemaking seeking input on how to strengthen cybersecurity and resiliency in the pipeline and rail sectors. Comments are open until January 17, 2023.

In the same vane, Representative Randy Weber (R-TX) introduced a bill in November named the “Next Generation Pipelines Research and Development Act” which includes provisions for the development of advanced strategies and technologies for integrated cybersecurity and to counter cyber attacks.

Focus on Finances: On the national level, committee hearings on Senator Jon Ossoff’s (D-GA) “Improving Cybersecurity of Credit Unions Act” were held this month. If passed, the bill would amend the Federal Credit Union Act requirements to strengthen their defenses against cyber attacks.

At the state level, the New York State Department of Financial Services (NYDFS) cybersecurity regulations were finalized. In comparison to the draft covered by Consortium Networks in August, the final document changed the definition of Class A companies, softened requirements around some key controls to be more in line with original Part 500 requirements, and recognized the need for longer implementation periods for some technical elements originally proposed.

Global Policy Action

European Union: The EU was very active in the cyber policy space this month: 

• In response to Russia’s invasion of Ukraine, the EU proposed a united cyber defense front to coordinate and increase collaboration among member states’ cyber active defense systems. 
• The Digital Operational Resilience Act (DORA) was finalized this month as well which, after a two year implementation period, will impose operational resilience requirements and management oversight requirements on financial services.
• The EU Media Freedom Act was proposed in pursuit of better protection of journalists by banning advanced military-grade spyware.
• The European Parliament greenlit the Second Network and Information Systems Directive (NIS2). This directive, if approved by the EU Council, would expand the current NIS Directive and update critical infrastructure cybersecurity obligations.

Italy: Italy announced a ban on using facial recognition technology including smart glasses in response to Lecce and Arezzo announcing that it would begin using these devices for at least a year until a general law can be passed through the Italian Parliament. The moratorium provides an exception for judicial investigations or for fighting crime.

United Kingdom: In its continued effort to create a new British data privacy law post-Brexit to replace the GDPR, the U.K. announced that it is considering provisions that would relax requirements for businesses in collecting and using customer data. The United Kingdom can pass whatever kind of data privacy legislation it would like, but it must remain in the realm of the EU’s regulation to continue existing legal agreements between the jurisdictions.

On the information sharing side, the U.K. introduced mandatory cyber incident reporting for managed service providers (MSPs). The new regulation bears fines of up to $20 million for non-compliance with incident disclosure or minimum security requirements.

India: India proposed a new data privacy law this month that would allow greater user data transfers abroad. This new law comes after the withdrawal of the 2019 privacy bill that imposed stringent regulation on cross-border data flows and would significantly impact how large tech companies conduct business in India.

Our Services

Your Cyber Concierge: Our team is ready to help you find solutions for all of your cybersecurity needs. From Endpoint Detection and Response to Multifactor Authentication to Threat Hunting, we will work with you to find the best solution for your organization and your specific budget, needs, and goals. 

Cybersecurity Assessments: Trust our team to quickly and consistently measure your controls against the NIST Cybersecurity Framework, including coverage against each specific domain and sub-domain, maturity of implementation, and provide actionable, prioritized recommendations. Our assessment will satisfy common compliance and regulatory requirements related to regular cybersecurity risk assessments.

Incident Response Planning, Playbook Development, and Tabletop Exercises: To be effective, incident response planning must be relevant to the core functions of your organization. By developing documents to guide actions in a time of crisis, and testing those approaches regularly, your organization will be maximally prepared to minimize the operational impact of a cyber event. Contact Consortium Networks for more information.

Cybersecurity Policy Development, Review, and Refresh: The threat landscape is constantly evolving. So, too, are regulatory and compliance requirements, as well as expectations from clients and third parties. Cybersecurity policies need to anticipate future threats and be kept up to date with accepted best practices while at the same time balancing ease of understanding and implementation. Let us take care of this process for you.

Request for Proposals (RFP) and Procurement Advisory: The requirements set forth in an RFP will determine not only the breadth and depth of potential responses but will also shape all future interactions on the topic with the responding parties such as contract negotiation, payment terms, deliverables, and acceptance criteria. The RFP sets expectations for both parties and outlines avenues available to hold each accountable. Avoid frustrating and costly amendments by making sure your organization has appropriately scoped your RFP from the start.