Regulating Big Tech. China outlaws cryptocurrency transactions. Russian markets and US sanctions. Approaches to resiliency.

By the CyberWire staff

At a glance.

Transatlantic regulation of Big Tech.
China outlaws cryptocurrency transactions.
Russian markets shrug off proposed US sanctions.
US guidance for critical infrastructure firms.
OFAC wants you to say "no" to ransom.
Mandatory reporting.
Lessons from the Port of Houston attack.

US and EU working on a joint approach to regulating Big Tech.

Reuters says the EU and US are preparing to announce a “more unified approach” to Big Tech at a US-EU Trade & Technology Council summit to be attended by the US Secretaries of State and Commerce and European Commissioner for Trade next week. The Council’s tech working group intends to “seek convergence” on “technology platform governance,” having “identified common issues of concern around gatekeeper power.” On deck are topics like content moderation, the impact of algorithms, protecting democratic institutions, researchers’ access to data, and monopolistic practices. Industry onlookers worry the US will face pressure to conform to EU models of governance.

China outlaws cryptocurrency transactions.

The People’s Bank of China today declared all cryptocurrency transactions off limits in the interest of “national security and social stability,” the Wall Street Journal reports. The announcement, which targets foreign exchanges serving residents and heralds a “comprehensive monitoring system,” follows a longstanding ban on domestic exchanges and recent clampdowns on crypto mining. AvaTrade analyst Naeem Aslam commented, “The message was very, very strong today. They are really saying no one can have any association with cryptocurrencies.” Beijing is in the process of developing its own digital currency.

Russian markets so far unaffected by proposed US sanctions.

According to Yahoo Finance, a threatened “major escalation” to US sanctions against Moscow hasn’t yet shaken Russian markets. A provision included in the US House’s version of the 2022 National Defense Authorization Act (NDAA) would expand the existing prohibition on US citizens purchasing Kremlin debt to secondary markets. Also on the table are sanctions against Nord Stream 2 personnel and high-profile Russians. With the NDAA’s future still uncertain, a spokesman for President Putin called the proposal an “internal parliamentary exercise.” The US Chamber of Commerce fears the measure could harm US firms more than Moscow.

Washington issues cybersecurity guidance for critical infrastructure firms.

In response to a July directive from President Biden, CNN reports, the Departments of Commerce and Homeland Security readied voluntary cybersecurity guidelines for critical infrastructure industrial control system operators. Among the suggestions are risk management and crisis planning best practices.

OFAC’s caution against paying ransom.

The National Law Review recaps the US Treasury Office of Foreign Asset Control’s (OFAC) warning against paying ransom to sanctioned parties. While the law remains unchanged, the advisory communicates enhanced enforcement attention, and reminds organizations that they risk $20 million in civil penalties for transferring funds to entities on the Specially Designated Nationals and Blocked Persons List. Companies that implement strong cybersecurity programs and loop in CISA and law enforcement will receive gentler treatment.

Mandatory reporting requirements under consideration in the US Congress.

The Senate Homeland Security and Governmental Affairs Committee yesterday held a hearing on “Cybersecurity and Protecting Critical Infrastructure.” Senator Thursday, September 23rd, 2021. Senator Gary Peters (Democrat of Michigan) and chair of the Committee, asked CISA Director Easterly for her views on an incident reporting bill the Senator and his colleagues are working on. Easterly strongly supports such legislation, and thinks it might best be enforced by some system of fines, which she sees as likely to be a more "agile" enforcement mechanism than the subpoena power the draft legislation currently envisions.

Resilience in critical infrastructure.

Since the recently disclosed cyberattack against a server at the Port of Houston came up during the hearings (Easterly offered an account of this particular attempt against a critical installation), it's worth reviewing that attack and industry reaction to it. The Port of Houston Authority said yesterday in a brief announcement that it had “successfully defended itself against a cybersecurity attack in August. Port Houston followed its Facilities Security Plan in doing so, as guided under the Maritime Transportation Security Act (MTSA), and no operational data or systems were impacted as a result.” CNN reports that on August 19th attackers believed to be associated with a foreign intelligence service gained access to a server in the Port of Houston, planted malware, and stole Microsoft credentials. Defenders were able to isolate the compromised server within about an hour and a half of the initial attack. Whichever nation-state was responsible for the Houston attack (and there's no attribution, yet) the Record reports that the attack was accomplished by exploiting a zero-day in a Zoho authentication appliance.

Cherise Esparza, CPO, CTO & Co-Founder of SecurityGate, is encouraged: “This is a good news story demonstrating when organizations are prepared, adhere to guidelines, and have security controls in place with the proper processes, attacks can be thwarted!” Doug Britton, CEO of Haystack Solutions, is also encouraged, but counsels continued vigilance: “This successful defense is a stark reminder that organizations and agencies alike are under constant threat from bad actors, including nation-states. Also, remnants from SolarWinds still can pose a threat, even after all this time. It takes a strong cyber team to battle these kinds of threats. We need to make sure to continue our investment in cybersecurity. The profession needs to grow at a strong rate and remain robust as future battles like this will continue to be digital.”

Saryu Nayyar, CEO of Gurucul, also liked the successful defense and recovery:

“There are rarely publicized success stories in cybersecurity; usually we hear about damaging breaches. So this story that The Port of Houston has successfully fended off an attack is encouraging to hear. The attackers attempted to make use of a new vulnerability in ManageEngine ADSelfService Plus, a password management service to enter the network. Infrastructure such as port operations are fertile ground for ransomware-style attacks, due to both their critical nature and often their relatively poor security practices. Ports, utilities, airports, and other types of infrastructure should have both comprehensive security systems coupled with active monitoring of endpoints, IoT devices, servers, network, and individual systems so that early detection and remediation become the norm, rather than the exception.”

Ron Bradley, VP at Shared Assessments, draws a metaphorical lesson:

“There's a lot to unravel here, and it's a fairly complex technical discussion. It's ironic this notification originated from the Port of Houston, because it's very much in line with what I advise in many instances, and that is to know your ports and protocols. What holds true in shipping ports also holds true in network ports which are synonymous in a certain sense. In shipping ports, the protocol is to understand which ships are coming into the port and what is contained within the shipment. The same holds true for networking ports and protocols. Companies must be diligent about continuously scanning open ports from the outside of their network and ensuring no unauthorized ports are accessible.

“The primary mitigation to this particular attack would be to not allow the password reset application to be accessible from outside networks. If that's not practical or possible, then additional layers must be implemented such as multi factor authentication, in addition to the appropriate intrusion detection and intrusion prevention mechanisms.”

Other commentators were dismayed by another case in which attackers found credentials relatively accessible. And several of them noted that organizations under stress, as so many are during enforced periods of remote work and the other consequences of the COVID-19 pandemic, are in a heightened state of vulnerability.

Danny Lopez, CEO of Glasswall, sees a glass half full (sort of). But an attacker with the right credentials is a major problem:

“While it’s positive the Port of Houston cyberattack did not disrupt operations, the fact that foreign adversaries were able to obtain legitimate credentials for the systems belonging to one of the largest ports on the U.S. Gulf Coast is concerning. More details on how the intrusion happened will likely be revealed in the coming days, but for now it's worth underlining how to minimize the risk and impacts of credential theft.

"Critical infrastructure organisations need to adopt robust processes for onboarding and offboarding employees and affiliates that may receive access to key information systems. It's vital to control privileged access and to monitor those that enjoy that administrator privilege. Ensuring that multi-factor authentication is enforced wherever possible, is a vital defence where user credentials find their way into the hands of adversaries. This will help to limit the blast radius, and in most cases, defeat the data breach.

"Even if all procedures and policies are well executed, then there's no escaping the fact that adversaries are constantly looking to probe vulnerabilities and to insert malware into the environment to enable surveillance, often using everyday business documents which we all use. It's vital that ports like this, and all organisations, invest in cyber protection services that stay ahead of attackers by eliminating the threats while still allowing employees to do their vital work and the business to function.

"Attacks like these demonstrate that a traditional castle-and-moat approach to network security leaves organisations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers it is crucial to strengthen all processes relating to access verification. Without a zero trust approach organisations run the risk of attackers having a free reign across a network once they are inside."

Matthew Meehan, chief operating officer at TokenEx, agrees that stolen credentials are the "weak link in the security chain," even as technology trends in the direction of risk-based authentication:

"There is ample opportunity for hackers to exploit passwords everyday. We continue to encourage strong password policies as vital to both personal and business security. Cybercriminals often reuse credentials found from online data dumps, commonly known as credential stuffing, to access sensitive data. That tactic, combined with user penchant for simple passwords, does not result in an appropriate level of data protection. We can't stress enough - users should never repurpose passwords. Instead, creating complex and unique passwords in conjunction with two-factor authentication is best.

"For all types of sensitive data like personal or payment information, organizations can remove that data from systems entirely using tokenization. That way, if a foreign hacker does access U.S. systems, as in the case of the Port of Houston, they won't be able to steal any useful information. Finally, rather than being a target to malicious attacks, good password hygiene practices like not sharing or reusing passwords, are absolutely vital. Investing the time to take one extra step to secure data is invaluable to U.S. interests, compared to the fallout of a data breach.”

Neil Jones, Egnyte's cybersecurity evangelist, draws attention to the other problems the transportation sector faces:

“Labor shortages and supply chain disruption resulting from the global pandemic have already stifled productivity at U.S. ports. Just last month, a record 44 vessels were awaiting a berth space at the Los Angeles and Long Beach, California ports, with an average wait time of 7.6 days. Imagine if a cyberattack had occurred on the ports' operations during such a critical time. In the Port of Houston case, the attacker appeared to breach the port's network via remote access, a mission-critical requirement for a port that's required to function on a 24/7/365 basis. So, it is especially fortunate that shipping operations weren't disrupted.

"The reality is that all transportation and shipping data are vulnerable without proper data governance and network security techniques. It is imperative that organizations protect the data itself, not just the technical infrastructure around their data. This type of security incident occurs far too regularly, particularly now that many employees are required to work remotely, in decentralized teams. If credential compromise tools are implemented correctly, they can render cybercriminals’ attacks ineffective. Used in a case like this where the adversaries were able to infiltrate the network, the files themselves would remain inaccessible to outsiders, and crucial shipping systems would remain protected.”

And Exabeam's chief strategy officer Gorka Sadowski would make our flesh creep with accounts of the stuff they see on the dark web:

“Exabeam continually cautions its customers and partners on the pervasiveness of credential-based attacks. Login credentials have significant value, and the threat of theft persists from adversaries. The challenge is that usernames and passwords remain critical in our daily lives, from helping us complete work to carrying out personal matters like online shopping, banking or connecting with friends over social media.

"Billions of previously stolen credentials live on the dark web, and we’ve just accepted that they fuel the underground economy and enable more credential stuffing attacks. We know that the hackers are bold and unconcerned with being detected on the network because they use sophisticated methods that mimic typical user activity. If their access is gained using valid credentials, it makes them even more difficult for administrators to catch. Thankfully, in this instance, the compromise was detected. If it hadn’t been, the attacker would have obtained unrestricted access.

"Organizations across all industries need to invest in machine learning-based behavioral analytics solutions to help detect malicious activity and stop adversaries before damage is done. These analytics tools can immediately flag when a legitimate user account is exhibiting anomalous behavior, providing greater insights to SOC analysts about both the compromised and the malicious user, which results in a faster response time.”

Cyber commanders reflect on lessons learned from the pandemic. (The CyberWire) The US military has been engaged in cyber conflict throughout the pandemic. Senior officers gathered yesterday at the DoD Cyber Commanders Summit, Sponsored by Palo Alto Networks, to discuss "Lessons Learned from a Global Pandemic." They shared both lessons learned and suggestions for improvement. Remote work capabilities and the government's senior cybersecurity leadership team are big successes for US Cyber Command. Training, competition, and industry partnerships still need attention.

OFAC Helps Those Who Help Themselves: How a Ransomware Response Plan… (Fenwick & West LLP) On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) updated its advisory addressing the sanctions risks associated with paying ransomware actors. Many malicious cyber actors are located in embargoed countries such as Iran and North Korea.

Pegasus case: SC to set up a technical panel to probe surveillance allegations (Scroll.in) The order was delayed as some experts had said they would not be able to join the committee due to personal reasons, the chief justice said.

Experts say China’s low-level cyberwar is becoming severe threat (the Guardian) Activity more overt and reckless despite US, British and other political efforts to bring it to a halt

China continues to pose cyber security threats to India (India Today) Ever since the border skirmishes between India and China in May 2020, Chinese hacker groups have been regularly targeting Indian public sector companies and technical establishments via cyber security breaches.

China Declares Cryptocurrency Transactions Illegal; Bitcoin Price Falls (Wall Street Journal) China’s central bank said all cryptocurrency-related transactions are illegal, reinforcing the country’s tough stance against digital rivals to government issued money.

EXCLUSIVE Big Tech targeted by U.S. and EU in draft memo ahead of tech and trade meeting (Reuters) The United States and European Union plan to take a more unified approach to limit the growing market power of Big Tech companies, according to a draft memo seen by Reuters.

Putin is directing attacks on the US through cyberspace. Here's how companies can stay safe (Fox Business) Putin is directing full throttled attacks on the U.S. in the unregulated, wide-open, man-made domain of cyberspace, which has become the backbone infrastructure of 21st century commerce and free expression.

Russian Markets Unruffled as U.S. House Raises Sanctions Risk (Yahoo Finance) (Bloomberg) -- Russian investors shrugged off U.S. House backing for a provision that could extend bond-trading curbs to the secondary market as punishment for Moscow’s alleged interference in U.S. elections. Most Read from BloombergIstanbul Turns Taps on Old Fountains, Joining Global Push for Free DrinksIn Paris, the Wrapped Arc de Triomphe Is a Polarizing PackageHow the Child Care Crisis Became a Global Economic FiascoThe Global Housing Market Is Broken, and It’s Dividing Entire CountriesBerli

Google Stays Silent On Russia's Growing Internet Threats (Bloomberg) No nation asks Google to scrub more from the internet than Russia. Over the past decade, Russian officials have requested the removal of nearly 1 million web pages, documents, apps and videos, mostly for reasons Google categorizes as "copyright" or "national security."

Get Prepared for Data Privacy Compliance Under China PIPL - Data Matters Privacy Blog (Data Matters Privacy Blog) On August 20, 2021, China’s National People’s Congress passed the Personal Information Protection Law (PIPL), which will become effective starting November 1, 2021. As an overarching law in China with... Read More

Hong Kong’s National Security Promises Were All Hollow (Foreign Policy) The Beijing-backed law is now used to crush dissent across the board.

The China-Lithuania Rift Is a Wake-Up Call for Europe (Foreign Policy) China is bullying Lithuania. The EU and NATO should push back.

State’s Cyber Security Centre ‘under-resourced’ to meet its goals (The Irish Times) Report by consultants makes 45 recommendations to improve its capacity

NDAA roundup: Senate bill places deep focus on cyber, IT and AI (FedScoop) Editor’s Note: This story has been updated to reflect the House passing its version of the NDAA. The Senate Armed Services Committee on Wednesday filed its final version of the annual defense policy bill, which would authorize $768 billion in spending on defense that prioritizes the modernization of the military’s IT and cybersecurity capabilities, including […]

Biden cybersecurity leaders back incident reporting legislation as ‘absolutely critical’ (Federal News Network) Senior officials supported fines for companies that don’t comply with proposed cyber reporting regulations.

Biden administration issuing new security guidance to companies aimed at blunting cyberattacks (CNN) The Biden administration is issuing new security guidance to critical infrastructure firms in an attempt to blunt the impact of ransomware and other hacks, following a series of attacks on US companies.

U.S. Officials Call for Fines Against Companies That Don’t Report Hacks (Wall Street Journal) The Biden administration wants Congress to add teeth to legislation that would force operators of critical infrastructure to disclose cyberattacks.

Ransomware Victims Told to Think Twice Before Paying Hackers (The National Law Review) On Tuesday, the U.S. Department of Treasury&rsquo;s Office of Foreign Asset Control (&ldquo;OFAC&rdquo;) issued an&nbsp;updated advisory&nbsp;warning all ransomware victims that if they succumb to ran

CISA issues promised draft guidance aligning TIC 3.0 with federal IPv6 mandate (FedScoop) The Cybersecurity and Infrastructure Security Agency enhanced its Trusted Internet Connections (TIC) 3.0 program to support the implementation of IPv6 across all federal IT systems with guidance issued Thursday. IPv6‘s 340 undecillion Internet Protocol (IP) addresses solve the problem of IPv4 running out of readily available addresses in 2015, while supporting the end-to-end visibility and […]

()