National Security Agency warns against paying ransoms | #ransomware | #cybercrime

SAN FRANCISCO — The recent ransomware attack against Change Healthcare underscored how ineffective paying a ransom can be for victim organizations, according to National Security Agency representatives.

Rob Joyce, former director of cybersecurity for the National Security Agency (NSA), and David Luber, NSA’s current director of cybersecurity, led an RSA Conference 2024 session on Wednesday titled, “State of the Hack 2024: NSA’s Perspectives.” Joyce and Luber covered a range of topics including edge device security, ransomware, increasing threats to critical infrastructure, and cloud security risks.

Joyce and Luber addressed one way to quell the significant ransomware threat — by implementing a ransom payment ban which would make it illegal for victim organizations to give into demands. Several cybersecurity vendors observed record numbers of ransomware attacks in 2023, which reignited the payment ban discussion across the industry.

Joyce and Luber stressed that whether to implement a ban is an area of ongoing debate. One side of the argument is that paying should be a business decision because attacks are severely disruptive. Others stress that paying fuels further attacks and a ban would hinder actors’ financial gains.

During the session, Joyce and Luber said they favored a payment ban, especially after seeing the outcome of the Change Healthcare ransomware attack from February, which caused massive disruptions to the company’s payment management platform and impacted medical facilities and pharmacies across the country. The BlackCat/Alphv ransomware gang breached the healthcare organization through a Citrix portal that did not have MFA enabled.

Change Healthcare parent company UnitedHealth Group subsequently paid a $22 million ransom. However, Change Healthcare still experienced prolonged and ongoing disruptions for patient care and healthcare providers. A federal investigation into the attack is ongoing.

“I think we got a new data point from the Change Healthcare attack. They tried to pay a ransom, and in the end surprisingly, the thieves ran off with their money and didn’t give anything back. Understand that if you choose to pay a ransom, you may not be able to recover your systems with that payment. Instead, invest in recovery,” Joyce said during the session.

Luber added that the Colonial Pipeline attack in 2021 was a “wake up call” and marked the first time the NSA viewed ransomware as a national security concern. Both speakers emphasized that ransomware continues to be a national security concern, further highlighted by the Change Healthcare attack. Luber said that it affected the economy and services for the healthcare sector across the nation.

Mick Baccio, global security advisor for Splunk’s Surge team, told TechTarget Editorial that while he supports a payment ban, he believes it would push payments undergound.

“If you ban ransomware payments, are you really going to ban payments or just enable a cut out market that will third-party everything? I understand the banning and I think it should happen. Create that cut out market and then go stomp it,” Baccio said.

Securing edge devices

Another security concern that’s been highlighted by recent attacks is the significant threat to edge devices. Luber and Joyce said attackers target vulnerabilities and security weaknesses in edge devices because they are the first entry point to a victim’s network. With that access, threat actors can harvest credentials and maintain a persistent presence in the IT environment.

Cyber insurer Coalition released a report in April that detailed how edge devices posed a significant problem for policyholders last year. The report highlighted Cisco’s Adaptive Security Appliance (ASA), which  led to significantly greater risks for Coalition customers.

Joyce said that an influx of CVEs were discovered in edge devices this year. Zero-day vulnerabilities “piled up” for some manufacturers such as Ivanti, which disclosed multiple zero days in its VPN products over a short period. The problem prompted Ivanti CEO Jeff Abott to publish an open letter promising to put increased focus on the vendor’s security initiatives.

CISA was one of many victims affected by the zero-day attacks; Threat actors exploited Ivanti flaws earlier this year to breach the agency. Joyce said edge devices will remain popular targets because they are internet facing and contain large amounts of data.

“Organizations should think about a broader set of security beyond the edge devices. When a CVE is found on an edge device we need to patch, and patch quickly,” Luber said.

The speakers warned that edge devices are a focus for both ransomware groups and nation-state attackers.

Another area that attracts an array of attackers is the cloud. Joyce said that over the past five years or more, there’s been a massive migration over to the cloud which makes it a big target for a variety of threat actors. He cited activity by the Russian nation-state actor tracked as Midnight Blizzard as one example.

Midnight Blizzard, also known as Cozy Bear and APT29,  was responsible for the SolarWinds breach in 2020 and more recently attacked Microsoft and gained access to corporate emails, documents and source code. The breach affected federal government as Midnight Blizzard actors obtained  email exchanges between agencies and Microsoft.

“Midnight Blizzard is exploiting cloud services in commercial products and manipulating trust we rely on across the U.S. and the government,” Joyce said.

Joyce stressed that attackers target the cloud because the government and private industry trust the cloud to secure its sensitive data. However, he also said storing data in the cloud presents challenges since mitigations can be more challenging compared to on-premises technology.

“We’ve got to know and have the trust in the cloud because we lose some of our visibility into the environment. We don’t always have access to the logs CVEs aren’t issued. If you’re using on-premises, you understand your flaws. We need to understand that in the cloud as we invest more in it,” Joyce said. 

Concerns about a lack of visibility into cloud vulnerabilities have grown in recent years, prompting some companies to increase collaboration with security researchers and improve documentation of such flaws. Jesse Doughtery, vice president of network edge services at AWS, told TechTarget Editorial that collaboration between AWS and its partners is important in the discovery and reporting of cloud vulnerabilities.

“We harden it through collaboration and proactive thinking. That makes a huge difference,” Doughtery said.

Arielle Waldman is a Boston-based reporter covering enterprise security news.

Source link


National Cyber Security