ISMG Editors: MOVEit Breach Fallout, Cybercrime InnovationAlso: Hospitals Warned of Web-Tracking Tools, U.S. DOJ Reorganizes Units Anna Delaney (annamadeline) • July 28, 2023
In the latest weekly update, four editors at Information Security Media Group discussed important cybersecurity and privacy issues, including the surging number of MOVEit breach victims and the state of ransomware innovation, why the federal government warned healthcare firms about the use of web trackers, and how the DOJ is expanding its "whole of government" approach to fight ransomware.
The panelists - Anna Delaney, director, productions; Tony Morbin, executive news editor, EU; Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity; and Mathew Schwartz, executive editor, DataBreachToday and Europe - discussed:
- Updates on the latest tally of MOVEit victims and what the incident reveals about the state of innovation in the ransomware ecosystem;
- How the Federal Trade Commission and the Department of Health and Human Services are jointly warning dozens of hospitals and telehealth providers of potential data privacy and security violations involving the use of online tracking technologies;
- Why the U.S. Department of Justice is merging its Computer Crime and Intellectual Property Section and the National Cryptocurrency Enforcement Team.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the July 14 edition on why the U.S. is behind on securing credit cards and the July 21 edition on Microsoft's move to expand logging access.
Anna Delaney: Hi, and welcome to the ISMG Editors Panel. I'm Anna Delaney, and this is our weekly editorial analysis of the most important cybersecurity and privacy stories. I'm delighted to be joined by my excellent colleagues, Marianne Kolbasuk McGee, executive editor for HealthcareInfoSecurity; we've got Mathew Schwartz, executive editor of DataBreachToday and Europe, and Tony Morbin, executive news editor for the EU. Wonderful to see you all.
Mathew Schwartz: Thanks for having us.
Delaney: Matt, starting with you this week, we return to the MOVEit hacks and the confirmed number of victims impacted by the clock groups, supply chain attacks grows even bigger. And just as a reminder, this is the Clop group's mass exploitation of MOVEit's file transfer software. So Matt, where are we now with the incident and what's the extent of the damage?
Schwartz: Great question! I am hesitant to commit to numbers because things have a habit of changing hour to hour still with this attack campaign. But we can say that there are north of 450 organizations known to have been affected. Now, about 20%, give or take of those organizations have issued a public statement, counting the number of individuals whose personal information was exposed as a result of these attacks. And so far, we've got 23 million individuals, mostly in the United States, having been affected by these breaches. So this is massive. And it's amazing punching power, if you will, for what ransomware tracking experts say is a relatively small group. There is a report that just came out from ransomware incident response firm Coveware, which estimates that Clop might clear $75 million to $100 million off of this single campaign. That is disturbing on a number of fronts. First of all, because Clop isn't very big. And if a relatively small number of people can get that much money off an attack, that's horrifying, especially if others try to emulate it. There's so many interesting angles here, speaking somewhat dispassionately about this attack, especially if you were an individual whose information was exposed, social security numbers in particular have been exposed, which is a big problem if you are in the United States, because it's still used as an attempted unique identifier, which it was never designed to do. So it puts you at risk of identity theft. Lots of the organizations that have been affected when social security numbers have been exposed, are offering free identity theft monitoring, free credit monitoring. Now, this doesn't make the problem go away. It doesn't mean that there isn't time spent by victims trying to see if their identity has been stolen. So it's not a great scenario. But if we step back, this attack is fascinating because it shows that for cyber criminals, as with most types of crime, I suppose, but especially to cybercrime, time is money and the most successful groups, and I think we need to include Clop in that category, have a way of innovating in a manner which might befit a Harvard Business Review case study. What they've done here is instead of trying to hit a big victim, hacking into their network, deploying cryptolocking malware, shaking them down, hoping they'd pay with all of the incumbent costs associated with that, buying their way in, bringing in experts in hacking. What they've done is they have somehow - we don't know how - found this zero day vulnerability in widely used file transfer software called MOVEit from Progress Software. And this has allowed them to hit an unknown number of organizations. But hundreds, conservatively speaking hundreds of organizations all at once, over a couple of days. Progress Software, to its credit, when this attack campaign started, it quickly draft a patch, put out a security alert, and organizations mostly got that installed pretty quickly. It's not even clear if Clop was still attacking people, once this patch came out. It may have done all the damage it needed to do just in the first 48 hours or so of the attack. But what it seems to have done is probably gotten ransom payments from at least a few of the big victims. Experts say that it demanded massive ransoms from some of the big organizations that had hit, and it has probably gotten paid. So you have all of this, I won't say collateral damage, but extra damage in the form of all these other organizations that it managed to hit at the same time. So from a criminal standpoint, this is very elegant, it's automated, they hit hard, they hit fast, they hit lots of people, and they seem to have made a lot of money. When it comes to ransomware, this is not a direction of travel that we want to see things going in. And what has this done to MOVEit's reputation? Progress Software, I mean. Are impacted companies still using them? Still using the software? I have not seen any company saying it's going to give up MOVEit. I have seen them saying that they've put some extra security controls in place that had been suggested by various firms. But I think I mean, this is a classic supply chain attack. This is a widely used piece of software. As I said, Progress got a patch up very quickly. They were very transparent and moved. Again, they moved quickly. I can't fault them here. I don't think so it's a challenge. It begs the question of what other pieces of widely used software Clop or another group hoping to unleash an attack like this might already have access to or might already be experimenting with.
Delaney: You said that Clop's success comes despite a decline in the number of victims who pay a ransom. Just tell us more about this.
Schwartz: Yes. So if you look, in the last six months, say there is a peak of 45%. This is Coveware speaking. Forty-five percent of organizations hit by ransomware that it worked with paid a ransom, maybe didn't pay the initial offer, but it paid a ransom. That's horrible, right? So that has gone down thankfully to about one in three, which still seems like a lot. But if you are a ransomware group, as I said, there's a sunk cost, if you're trying to hack into a large organization that you can demand a big ransom from, you need to get access, and you need to have highly skilled people that you're paying or working with as business partners, huge sunk costs. So that cost hasn't gone down. And as they've been attempting to hit organizations and getting fewer ransom payments. As you see this pivot by Clop, which does the classic style of ransom where as well, but this pivot, I don't know how much they paid for the zero day or for the expertise that gave it to them. But it's been extremely lucrative. So you see all these different groups testing these different innovations to see what gives them their next big payday.
Delaney: Wow, that was excellent. Thanks for those updates. Okay, Marianne, our next story is about sensitive data and tracking tools. And you've written this week that the Federal Trade Commission, the Department of Health and Human Services are jointly warning dozens of hospitals and telehealth providers for potential data privacy and security violations involving the use of online tracking technologies. So can you tell us more about these potential violations?
Marianne McGee: Sure. As you mentioned, late last week, in a rare move, the Federal Trade Commission and the US Department of Health and Human Services announced that they had sent letters to 130 hospitals and telehealth providers, warning about their possible use of web tracking tools such as Meta Pixel and Google Analytics in those companies' websites and mobile apps. Now, each of these two agencies have previously publicly advised against the use of online tracking tools due to serious privacy concerns. But now these warnings from these two U.S. federal regulating, agencies are getting louder. They're basically sort of forewarning of pending enforcement actions. Now, the FTC this week also followed up the announcement about the letters with its own blog that kind of dived into the dangers of using web tracking technology. The regulators say that these tracking tools when integrated into health related websites and mobile apps to share consumer and patient data with third parties without the individual's knowledge or consent could amount to violations of laws and regulations, including the FTC Act, the FTC Health Breach Notification Rule and HIPAA. Now, among the concerns, the agencies say that these tracking technologies on webpages generally have access to users sensitive information, including protected health information, such as an individual's IP address, medical record number, home or email addresses, on location of where they're seeking treatments, diagnosis, treatment, sort of data and other sorts of details that could provide insights into a person's medical conditions. So now in the aftermath of the U.S. Supreme Court, overturning Roe v. Wade last year, ending the nationwide right to an abortion in the U.S, the agencies are concerned that an individual's tracking information when shared with third parties could be used or misused for stalking and harassment and even potentially to launch criminal investigations into the medical care that a patient has sought information about. But even aside from the reproductive health care service concerns, the tracking tools can also collect sensitive information that conveys other insights into a person's private health issues. For example, one of the examples that the FTC uses is that the tracking tools can collect and share consumers' location data, such as repeated trips to a cancer treatment center, which would potentially reveal highly sensitive information about that person's health status. Now, aside from these targeted letters that the agencies sent last week, in the bigger picture, the FTC and the HHS OCR have also been sending an overall strong message to other companies hinting of imminent enforcement actions involving the use of these trackers. Now the FTC in recent months has already taken a few enforcement actions against health care providers, directory telehealth providers, including BetterHelp and good RX plus a mobile fertility app vendor called Premom in cases involving those companies using tracking tools that allegedly shared consumer's information with third-party analytics and social media firms without the individual's consent. Meanwhile, as of right now, HHS OCR has not yet taken a HIPAA enforcement action involving the use of these online trackers. But the agency's leadership, including an official from HHS OCR that spoke at our ISMG Healthcare Summit last week, said that HHS is very busy right now investigating such cases, and that enforcement actions likely will be coming soon. HHS OCR last December also issued guidance about the use of online tracking tools, warning that HIPAA regulated entities that use these tools are not permitted to implement them and use them for impermissible disclosures of protected health information to third parties or for any other sort of violations of the HIPAA roles. There have already been several U.S. hospital systems that have walked reported large HIPAA breaches to HHS OCR in recent months following the agency's guidance last December warning about the use of the tracking tools. Now, for the FTC violations involving the FTC Act or the Health Breach Notification Rule have already been enforced with financial penalties for these companies, the couple of companies that have had these citations against them. But for HIPAA violations potentially there are also potential monetary fines. And in rare cases, there are criminal prosecution that is accessible to regulators to go after. So we'll see if these recent warnings from the FTC and HHS are signs of aggressive new enforcement actions by the agencies. But in general, researchers have found that these tracking tools are in thousands of websites. So, there's a lot of potential violations out there that could happen, that probably won't happen. But I think that the warnings are basically to get these companies that use these tools to sort of reevaluate how they're using them.
Delaney: And what do you think will be the impact on consumer trust in these online health tools, Marianne?
McGee: Well, I think consumers, I think everyone's been in the situation where you do research on something, then all of a sudden, you're getting messages about a product or type of product that you looked at, and I think that makes people feel creeped out. But when it comes to details about the kind of medical care that someone might have been searching for on a hospital's website that creeps them out because it is potentially revealing things that may or may not be true about that person. But who wants other people to know their business when it comes to health issues? And yeah, that's the thing that the agencies are most concerned about right now, how this information could be misused by third parties.
Delaney: Well, thanks. Thanks so much, Marianne. Tony, the U.S. Department of Justice is reorganizing units and expanding its whole of government approach to better fight ransomware tell us about this new approach.
Tony Morbin: Now, when Bitcoin launched, cryptocurrencies were meant to be the future of money, but their primary characteristic, the anonymity of ownership, kind of made them the future of crime. Now, every aspect of the ecosystem, and its development has been peopled by dodgy operators and scams. And while many of its biggest adopters, and its most widespread use case, young getting rich, quick speculation, has been payment for crime. So we've had rug pulls by new coin issuers, we've had borrowing of the assets of investors by issuers, potential investors go into fake sites to invest actual investors being tricked into giving access to their wallet or transferring funds to criminals, attacks on the infrastructure, especially crypto bridges, tumblers and exchange sites accused of facilitating money laundering. And then of course, the main one, as Matt was talking about, cryptocurrency being literally the currency of crime online, most especially ransomware payments. Now, that's not to say that there aren't legal scenarios for the future of decentralized finance, in which there are benefits for society and individual users, but it's currently such a freefall, but it's almost inextricably linked to online crime. And that linkage is now explicitly recognized in the U.S. with the DOJ is merging its cryptocurrency, and its computer crimes investigation units. Due to their central role of digital assets in ransomware hacks and other online crime. Criminal cryptocurrency work and cyber prosecutions are intertwined, and it will become even more so in the future, says Nicole Argentieri, the principal deputy attorney general, adding that the merger is going to make cryptocurrency cases equal in status to computer crimes. The movie is part of an ongoing increase in targeting of ransomware operators that ramped up in the aftermath of the Colonial Pipeline attack in May 2021. And as Matt's been describing their targeting of supply chains. In fact, earlier this year, the Biden administration declared the under its National Cybersecurity Strategy ransomware is now being specifically targeted as a threat to national security and public safety. So putting the National Cryptocurrency Enforcement Team under the same roof as the computer crime and intellectual property section is reported to more than double the number of federal prosecutors that are actually going to be authorized to handle cryptocurrency criminal cases. And that seems to be the biggest outcome. The Computer Crime and Intellectual Property Section experts will continue to investigate and prosecute ransomware attacks. While the national cryptocurrency enforcement team investigators will track and pursue the ransomware payments with the aim of freezing and seizing them before they go to Russia and other ransomware hotspots. Separately, we've just seen a congressional committee is set to vote this week on several bills to develop a regulatory framework for cryptocurrencies in further bits of reigning the more lawless aspects of the crypto wild west. Okay, nobody is saying that any of these moves are the complete solution, but they are tightening of the screw. And ironically cryptocurrency use so long ransomware operators ace in the hole is now potentially a weak spot due to the immutable blockchain ledger allowing tracing of transactions. And going off the money is always a smart move in any financially motivated crime. So assuming this development proves successful, it's one that other jurisdictions are likely to copy.
Delaney: Very good. Well, Tony, this is positive news. Thank you very much. And finally, and just for fun, I'd like you to share a recent quote you love from an interview or expert in the field. What have you had recently?
Schwartz: Okay, should we battle it out?
McGee: Not recent, but go ahead.
Schwartz: Sure. So, one recent thing we saw was the Norwegian government getting taken down by a zero day vulnerability in its Ivanti endpoint manager mobile software, formerly known as MobileIron Core. Got all that out of the way. So the quote I have is from Kevin Beaumont, he's an outspoken British cybersecurity professional. He posts online a lot under the moniker GossiTheDog, and he was urging others to pivot to transparency when it comes to being forthright about a breach. This was a criticism of Ivanti, which he said originally tried to hide information about the breach on its a customer service portal, and you had to log in to get details of it. And it wasn't necessarily flagged on the Ivanti sites as being a problem. And it was a huge problem. He said, it's trivial to exploit this flaw. And that should have been something they were trumpeting and say we're working overtime to fix this. Instead, he's accused them of not being transparent.
Delaney: Great, great quote. Marianne, do you want to go for it?
McGee: Sure, mine is not a recent quote. But it's one that sort of I've always remembered. Years and years ago, I attended, I don't even know what the reception was, but it was a reception at the Boston Computer Museum. I think that's been long gone. But one of the speakers there was rear admiral Grace Hopper, who was a pioneering computer programmer and a U.S. Navy officer. And I don't remember exactly what her speech was about. But one of the things that she said, and she's also often requoted saying that it's easier to ask forgiveness than it is to get permission. And I think what she was saying was that when it comes to trying new, innovative things try them out. And then if people don't want you to do it, then just say, you're sorry, but at least you got to try. And I think that there's some merit to that, but I think for computer security people that could be something that's very worrisome. People in your organization forging ahead with new AI sorts of tools and not telling anybody about it until there's a problem. Well, that could be a problem. So I think even though it's an old quote, I think it still resonates especially when it comes to security issues.
Delaney: Very good. And Tony?
Morbin: Well, I'll certainly live by that quote that Marianne just said, I think it's a great one. I'm going to quote Bridget Kenyon. CISO at Shared Services Connected, who I interviewed at InfoSec, just the other month, here in London. And we were talking about bias in AI, errors or hallucinations or misuse. And where we can what are the benefits and the minuses of using AI and she just came up with - AI is just like us, but faster.
Delaney: Very true, very true. Great quote from Bridget. I just wanted to share something I found online from Tim Leberecht, head of all the conferences in Vegas, upcoming conferences like Blackhat. What happens in Vegas, ends up on YouTube. Well, thank you, everybody, Tony, Marianne, Mathew. It's been a pleasure as always.
Schwartz: Thanks for having us on.
Delaney: Thank you.
Morbin: I'm just thinking that Marianne's quote ties in with yours. That's where you go asking for forgiveness.
Delaney: We're all linked. And thanks so much for watching. Until next time!