Cybersecurity Snapshot: As Feds Hunt CL0P Gang, Check Out Tips on Ransomware Response, Secure Cloud Management and Cloud App Data Privacy

Learn all about the U.S. government's reward for CL0P ransomware leads. Plus, check out ransomware incident response recommendations. Also, review concrete guidance on cloud system administration and on designing cloud apps with privacy by default. And much more!

Dive into six things that are top of mind for the week ending June 23.

1 – Wanted: Feds offer $10 million reward for CL0P info

The CL0P ransomware gang lately has been making hay out of the MOVEit Transfer vulnerabilities, so it's no surprise it's drawn the attention of law enforcement. This week, the U.S. Department of State announced a reward of up to $10 million for information on the group – or on any attackers targeting U.S. critical infrastructure. Check out the details below.

For more information about the MOVEit Transfer vulnerabilities and CL0P, check out these Tenable resources:

• “FAQ for MOVEit Transfer Vulnerabilities and CL0P Ransomware Gang” (blog)
• “CVE-2023-34362: MOVEIt Transfer Critical Zero-Day Vulnerability Exploited in the Wild” (blog)

VIDEOS

Tenable CEO Amit Yoran discusses CL0P Ransomware Gang with CNN

Anatomy of a Threat: MOVEIt

Tenable CEO Amit Yoran discusses MOVEit Transfer Hack on BBC Asia

2 – IANS: Best practices for ransomware incident response

And staying on the ransomware topic, you can never have too many tips, insights and best practices into how to address these attacks. That’s why a recent IANS Research blog post about building an incident response process for ransomware caught our eye. Here’s what it recommend:

• Be as prepared as possible for a ransomware attack, including having data backups; a business continuity and disaster recovery plan for critical applications; cyber insurance coverage; and updated threat intelligence information.

• Have tools and processes in place that let you detect early signs of an attack, so you can isolate and contain impacted systems before widespread damage is done. Items to assess include known ransomware signatures and anomalous I/O activity.

• Collect critical data quickly and thoroughly, including when the infection happened, what was the infection method, what’s the attack’s scope and magnitude; and what’s the impact on the business.

• Outline a course of action, including ways to reduce business impact, whether to loop in your insurance provider, examining your threat intelligence and deciding on whether to pay the ransom or not

• Restore the damaged data and bring all affected systems back up, including fixing the underlying cause of the attack

To get all the details, read the IANS Research blog “How to Build a 5-Step IR Process for Ransomware.”

For more information about ransomware, check out these Tenable resources:

• “Ransomware Preparedness: Why Organizations Should Plan for Ransomware Attacks Like Disasters” (blog)
• “The Ransomware Ecosystem” (research report) 
• “Tenable’s Ransomware Ecosystem Report: Understanding the Key Players, Common Attack Vectors and Ways You Can Avoid Becoming a Victim” (on-demand webinar)
• “FBI and CISA Release Cybersecurity Advisory on Royal Ransomware Group” (blog)
• “U.S. and Australian Agencies Publish Joint Cybersecurity Advisory on BianLian Ransomware Group” (blog)

3 – Guidance on high-risk and emergency access to cloud services

The U.K.’s National Cyber Security Centre (NCSC) this week delved into two specific and critical areas of cloud system administration – high-risk access and emergency access – and how to secure them.

For high-risk access, which allows cloud service administrators to manage a critical component during normal operation, the NCSC recommends:

• Implementing phishing-resistant multifactor authentication for users with this level of access 
• Require that these admins use a privileged access workstation (PAW), which is a dedicated hardware device for performing high-risk management tasks

Also known as “break the glass” access, emergency access lets administrators manage cloud services during abnormal circumstances when systems may be down. NCSC security tips include:

• Ask your cloud provider what account recovery options are available, and make sure you’re ready to use them if needed
• Ensure that alarms are triggered when emergency access steps are taken in case it’s not a legit action but rather a sign of a breach

To get all the details, check out the NCSC’s blog “Protecting how you administer cloud services.”

For more information about secure cloud administration:

• “Guide to cloud security management and best practices” (TechTarget)
• “Experimenting with AI for Cloud Administration” (ITPro Today)
• “What is cloud management?” (TechTarget)
• “Cloud Management in Cloud Computing” (Geeks for Geeks)

4 – Study: U.S. critical infrastructure at risk due to weak public-private collaboration 

A new study finds the relationship between the U.S. government and the private sector for protecting critical infrastructure is obsolete and underfunded – a danger to national security.

That’s the conclusion from the report “Revising Public-Private Collaboration to Protect U.S. Critical Infrastructure” published by CSC 2.0, a project that’s continuing the work that the U.S. Congress-backed Cyberspace Solarium Commission conducted from 2019 to 2021.

“The policy underpinning this public-private sector relationship has become outdated,” reads the 36-page report. “Similarly, the implementation of this policy – and the organization, funding, and focus of the federal agencies that execute it – is inadequate.” 

CSC 2.0’s recommendations center on rewriting the Presidential Policy Directive 21 (PPD-21), adopted during the Obama administration, and include:

• Clarify CISA’s roles and responsibilities as the national risk management agency
• Establish responsibilities and accountability for updating key documents
• Organize public-private collaboration to mitigate systemic and cross-sector risk
• Develop functional information-sharing capacity across all sectors

To get all the details, read the report’s announcement, the executive summary and the full report.

For more information about critical infrastructure cybersecurity:

• “Challenges in Protecting Cyber Critical Infrastructure” (U.S. Government Accountability Office)
• “Engineering Cybersecurity into U.S. Critical Infrastructure” (Harvard Business Review)
• “Navigating Federal Cybersecurity Recommendations for Public Water Utilities” (Tenable)
• “'Volt Typhoon' China-Backed APT Infiltrates US Critical Infrastructure Orgs” (Dark Reading)
• “10 notable critical infrastructure cybersecurity initiatives in 2023” (CSO Online)

5 – Build privacy into cloud apps by default and by design

Building cloud apps that’ll store and process private data? Check out seven foundational principles of privacy by default and by design from Eyal Estrin, a cloud and infosec architect who authored the book “Cloud Security Handbook.”

• Implement proactive and preventive security controls offered by cloud providers in areas like identity and access management, network protection and data encryption
• Adopt privacy as the default setting at the application level and infrastructure level, minimizing collection and retention of data, and encrypting it in transit and at rest
• Embed privacy safeguards into an app’s design, so that it supports data privacy regulations and rights
• When embedding privacy safeguards into the design, don’t affect the app’s security controls and other services’ performance
• Protect data from end-to-end for its full lifecycle, including collection, storage, retirement and disposal
• Craft a comprehensive and clear privacy policy for the app, and keep it updated
• Make privacy user-centric, with privacy settings turned on by default and with easy ways for users to opt-in and opt-out, and to export their data

To get all the details, read Estrin’s post “Privacy by Design and Privacy by Default in the Cloud” in the Cloud Security Alliance blog.

For more information about cloud data privacy and security:

• “CISA Introduces Secure-by-design and Secure-by-default Development Principles” (SecurityWeek)
• “What does data protection ‘by design’ and ‘by default’ mean?” (European Commission)
• “Data processing by design and default” (U.K. Information Commissioner’s Office)
• “6 business benefits of data protection and GDPR compliance” (TechTarget)

6 – Secure your baseboard management controllers

CISA and the NSA have issued a joint information sheet with guidelines for hardening baseboard management controllers (BMCs), embedded controllers that allow administrators to monitor computers, servers and other hardware devices.

“Hardened credentials, firmware updates and network segmentation options are often overlooked, leading to a vulnerable BMC,” reads a joint alert. A breached BMC can let attackers take actions like “establishing a beachhead with pre-boot execution potential.”

Recommended actions include:

• Protecting BMC credentials by changing defaults ASAP, using strong passwords and establishing unique user accounts for administrators
• Enforcing VLAN separation to isolate BMC network connections
• Hardening configurations

To get all the details, read the joint announcement and the actual document, titled “Harden Baseboard Management Controllers.”

For more information about BMCs and how to secure them:

• “What is a baseboard management controller?” (TechTarget)
• “Thousands of enterprise servers are running vulnerable BMCs, researchers find” (CSO Online)
• “Firmware Flaws Could Spell 'Lights Out' for Servers” (Dark Reading)
• “BMC Firmware Vulnerabilities Expose OT, IoT Devices to Remote Attacks” (Security Week)
• “Opening up the Baseboard Management Controller (Association for Computing Machinery Digital Library)

(Editor's note: This blog was updated on June 27, 2023 to correctly attribute the CL0P ransomware reward offer to the U.S. Department of State.)