Binary Check Ad Blocker Security News

Last week, the Executive Order on Protecting the United States from Certain Unmanned Aircraft Systems (UAS) expanded the U.S.-China drone controversy to North Korea, Iran, and Russia.

The Order also provides the Secretary of Commerce with the authority to designate “any other foreign nation, foreign area, or foreign non-government entity engaging in long-term patterns or serious instances of conduct significantly adverse to the national or economic security of the United States,” in addition to China, North Korea, Iran, and Russia.

The purpose of the Order is to, “prevent the use of taxpayer dollars to procure UAS that present unacceptable risks and are manufactured by, or contain software or critical electronic components from, foreign adversaries, and to encourage the use of domestically produced UAS.” However, this Order is not necessarily a “cease-and-desist” order; instead, it requires federal agencies to review their “authority to cease” procuring, funding or contracting the “covered UAS” of such foreign adversaries within the next 60 days. A “covered UAS” includes a drone that:

  • is manufactured, in whole or in part, by an entity domiciled in an adversary country;
  • uses critical electronic components installed in flight controllers, ground control system processors, radios, digital transmission devices, cameras, or gimbals manufactured, in whole or in part, in an adversary country;
  • uses operating software (including cell phone or tablet applications, but not cell phone or tablet operating systems) developed, in whole or in part, by an entity domiciled in an adversary country;
  • uses network connectivity or data storage located outside the United States, or administered by any entity domiciled in an adversary country; or
  • contains hardware and/or software components used for transmitting photographs, videos, location information, flight paths, or any other data collected by the UAS manufactured by an entity domiciled in an adversary country.

The Order also requires federal agencies to inventory covered UAS that already are owned or operated by the agency, and to then report their existing security protocols. However, and particularly with respect to China, several federal agencies have already conducted this inventory and assessment. No later than 120 days after the inventory reports are completed, the Director of National Intelligence, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the Director of the Office of Science and Technology Policy, and the heads of other agencies will review the reports and submit a security assessment to the President, including recommended mitigation steps for decreasing the risks associated with these UAS and whether any UAS’ use should be discontinued completely by federal agencies.

The Federal Aviation Administration (FAA) must also lay out restrictions on the use of UAS on or over critical infrastructure within 270 days of the Order; the FAA already has the power to issue a Temporary Flight Restriction (TFR). At present, TFRs can be requested only by national defense, national security, and federal intelligence departments and agencies. However, other government or private sector entities can, in the interest of national security, request those agencies to sponsor a TFR over critical infrastructure, (e.g., oil refineries and chemical facilities). The goal of the Order is perhaps to provide a direct line from private industry to the FAA.

We’ll see if the Order has staying power and the funding to support it. Stay tuned.

Binary Check Ad Blocker Security News

Today (January 27, 2021) was a BIG win for law enforcement in their efforts to combat cyber crime. U.S. and European law enforcement agencies announced today that through join efforts and cooperation on “Operation Ladybird,” computer servers and the infrastructure that has been used by criminals behind Emotet to victimize individuals and organizations through phishing schemes and distributing vicious strains of ransomware such as Ryuk were seized and are now out of the control of the cyber criminals. Emotet has been described as a cybercrime-as-a-service program because it is a pay-per-install botnet.

According to reports, Emotet has been used by criminals to defraud victims of millions of dollars through extortion and data theft, and the U.S. Department of Homeland Security has estimated that it has cost U.S. state and local governments up to $1 million per incident following an Emotet infection. Investigators have estimated that more than one million Microsoft Windows systems are currently affected by Emotet infections, so the take down is particularly important for those already infected systems.

According to Europol, “The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale.”

This win doesn’t mean that the criminals behind Emotet can’t rebuild and continue to wreak havoc in the future, but slowing them down a bit is helpful in combatting cyber crime and the protection of individuals and companies’ data.

On the heels of the concerning security incident experienced by FireEye [view related post], during the investigation of its own incident, FireEye discovered that multiple updates issued by SolarWinds, a cybersecurity firm that many governmental and private companies use to monitor networks, were “trojanized” and malware was inserted into the updates between March and May of 2020.

The malware allowed Russian operatives to hack into several governmental agencies, including the Departments of Homeland Security (DHS), State, National Institutes of Health, Commerce (National Telecommunications and Information Administration Office) and Treasury. In addition, it is reported that the Departments of Justice and Defense also were customers of SolarWinds. The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to all government agencies to disconnect and stop using SolarWinds.

This compromising situation is obviously concerning for national security, particularly when CISA’s Director Christopher Krebs was recently summarily dismissed and many other top leaders of the organization have departed when we most need strong leadership from the federal agency in charge of cybersecurity.

Unfortunately, the bad news doesn’t stop there. SolarWinds reported to the Securities and Exchange Commission this week that it believes that approximately 18,000 of its private company customers also could be affected by the malware.

Security experts are warning all private companies  to follow the CISA emergency directive to federal agencies and to disconnect and stop using SolarWinds until the details can be sorted out. Sound guidance for companies that use SolarWinds to mitigate risk until more information is available. It is important that executives and IT personnel be in close contact about whether the company uses SolarWinds and heed the CISA emergency directive to disconnect while the effects of the compromise are being determined.

On October 27, 2020, the FBI and the Department of Homeland Security (DHS) warned the health care industry about “an imminent cybercrime threat to U.S. hospitals and healthcare providers.”

According to the warning, which was shared during a conference call, the government has received “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” The information was being shared with participants so they can take timely precautions to protect their networks from the threat.

According to KrebsonSecurity, the threat is believed to stem from a Russian cybercriminal gang that may be deploying Ryuk ransomware to more than 400 health care facilities in the U.S. It appears the attack is planned to be coordinated in order to maximize disruption in the health care sector.

Hospitals are urged to confirm that patching of all known vulnerabilities has been completed. Mandiant Solutions has released a list of domains and Internet addresses that have been used by Ryuk in the past in order to assist hospitals with identifying known methods used to infiltrate systems.

Based upon these warnings, hospitals and health care providers may wish to consider prioritizing patching and blacklisting the known domains and Internet addresses used by Ryuk today.