US software supply chain security guidelines. Nomination of US cyber ambassador advances. US indicts and sanctions Iranian cyber operators.

Summary

By the CyberWire staff

At a glance.

White House issues software supply chain security memorandum.
Senate Foreign Relations Committee advances nomination of cyber ambassador.
US indicts and sanctions Iranian cyber operators.

White House issues software supply chain security memorandum.

The White House has released new federal software security requirements following the SolarWinds attack, Federal News Network reports. The Office of Management and Budget has released the new guidance, “Enhancing the Security of the Software Supply Chain to Deliver a Secure Government Experience” which grows on the cybersecurity order issued last year, and applies to third-party software usage. The memo from the office tells agencies to ensure that their third-party software usage complies with National Institute of Standards and Technology (NIST) guidance. Software vendors can also provide a “plan of action and milestones” if the NIST standards can’t be achieved.

Senate Foreign Relations Committee advances nomination of cyber ambassador.

The Senate Foreign Relations Committee has chosen to advance Biden’s cyber ambassador nominee, Nathaniel Fick, The Record by Recorded Future reports. If confirmed by the full Senate, Fick will lead the State Department’s Bureau of Cyberspace and Digital Policy. In this position, Fick would oversee growth of the expanding office, as well as “coordinating global cyber defense activities against threats like ransomware; promoting U.S. standards to cutting-edge technology, such as 5G; and giving aid to human rights activists facing digital repression in countries like Russia and China.”

US indicts and sanctions Iranian cyber operators.

The Record by Recorded Future reports that the US government has indicted, sanctioned, and put bounties on Iranian cyber operators that worked with Iran’s military to launch ransomware attacks targeting a multitude of American hospitals, governments, nonprofits, and businesses. Sanctions were issued against two businesses, Najee Technology Hooshmand Fater and Afkar System Yazd Company, and 10 Iranians, with three – Mansour Ahmadi, Ahmad Khatibi Aghda, and Amir Hossein Nikaeen Ravari – being indicted for their roles in the ransomware attacks.

Edward Liebig, Global Director of Cyber-Ecosystem, Hexagon Asset Lifecycle Intelligence, generalizes--at one level of abstraction, the activities of the Iranian threat actors are another reason to increase cyber hygiene:

"The charges coming down on the Iranian hackers that exploited hundreds of computers in the US critical infrastructure space is just another stark reminder that cyber hygiene is critical to our defense against attacks. These attacks are focused on exploiting known vulnerabilities rather than targeting specific sectors, which advances asset and vulnerability management and remediation to the frontlines. Victims in the U.S. reportedly span from power companies to nonprofits, all of which must have detailed visibility into their assets in order to effectively protect them from threat actors. It's also important to note that these individuals did not carry out these attacks on behalf of the Iranian government, but did so on their own accord with their own (likely more limited) resources. Unfortunately, critical infrastructure entities often rely on dated technology that's extremely vulnerable to these types of attacks. Put simply: it's not that hard for cybercriminals to compromise critical infrastructure systems. The Biden Administration's crackdown on Iranian cybercriminal groups is working and should continue to be a focus, as should urging operators of critical infrastructure to shore up their cyber hygiene quickly and effectively."

Alon Nachmany, Field CISO at AppViewX, applauds the law enforcement action:

“The US Department of Justice’s announcement to charge three Iranian individuals who allegedly launched cyberattacks against the U.S. and global critical infrastructure is a breath of fresh air. At one point in time, it was a running joke within the security industry that the Internet Crime Complaint Center (IC3), a division of the Federal Bureau of Investigation, is where filed reports of cybercrime went to die. However, this move by the Department of Justice not only signals to the cybersecurity industry that the government is with them, but that they are willing to go the extra mile to see an end to what has become a pressing issue in today's day and age. While the individuals are likely in Iran, the US web of extradition treaties will very much limit the places these individuals can travel to without being caught. Once charges are filed, they remain for a long time since after charges are filed, there is no statute of limitations. It is also interesting that these individuals are not believed to be working with or for the Iranian government. Especially, because it is well known that under General Qassem Soleimani, the former leader of the elite Quds Force and a commander in the Iranian military branch of the Islamic Revolutionary Guard Corps (IRGC), the country oversaw a major increase in its cyber capabilities. While there might not be a connection between these individuals and the Islamic Republic of Iran, we might see this develop in the future.”

BlueVoyant's Austin Berglas, Global Head of Professional Services, thinks the indictments bring to prominence the weaknesses of current credential management approaches:

“These indictments highlight a major gap in security common to multiple sectors and organizations. Unpatched infrastructure is equivalent to leaving your house key under your doormat when you leave for vacation. Allowing cyber criminals to exploit publicly available vulnerabilities prevents them from having to spend time and resources developing new ways to compromise your environment.

"BlueVoyant’s threat intelligence confirms that hackers can start exploiting new vulnerabilities quickly, sometimes in a matter of days. For this reason, starting late 2021, the U.S.’s Cybersecurity & Infrastructure Security Agency (CISA) now requires that regulated government agencies patch new vulnerabilities within two weeks, and sometimes sooner if there is a grave risk. Despite the risk, BlueVoyant has found that some organizations are slow to patch, many taking weeks, leaving them vulnerable.

"In addition, it is not only new vulnerabilities that are of concern. Threat vectors that have been around for many years, such as supply chain attacks, watering holes, and phishing, continue to evolve, but are still effective because of the lack of preparation of the end users and their organization.

"The number one concern for enterprises is to secure their data and credentials to ensure business continuity. The best way to have strong cybersecurity is several layers of defense, which should be systematically implemented over time. The first step is understanding what is critical in the environment and building walls of protection around, and rules for access to, this information. Multi-factor authentication (MFA) needs to be implemented across all accounts as the vast majority of account compromises will be prevented with this addition. Next, develop a baseline and establish alerting for users' login patterns in order to understand what is abnormal or anomalous. Then, organizations should employ e-mail protection and continuously educate the user base on phishing and other common cyber threats.”

Selected Reading

Current, former social media execs address national security issues at Senate hearing (Fox Business) Current and former executives from Twitter, Facebook, TikTok and others will address social media national security concerns at a Senate Homeland Security Committee hearing.

Three Iranian Nationals Charged with Engaging in Computer Intrusions and Ransomware-Style Extortion Against U.S. Critical Infrastructure Providers (US Department of Justice) An indictment was unsealed today charging three Iranian nationals with allegedly orchestrating a scheme to hack into the computer networks of multiple U.S. victims.

Treasury Sanctions IRGC-Affiliated Cyber Actors for Roles in Ransomware Activity (U.S. Department of the Treasury) Action Part of U.S. Government Response to the Continuous Malicious Cyber Activities Conducted by Iranian Actors

Index – Rewards For Justice (US Department of State) Critical Infrastructure - Individual Ahmad Khatibi Aghda Global| Near East (North Africa and the Middle East) Up to $10 million Critical Infrastructure - Individual Amir Hossein Nickaein Ravari Global| Near East (North Africa and the Middle East) Up to $10 million Critical Infrastructure - Individual Mansour Ahmadi Global| Near East (North Africa and the Middle East) Up to $10 million

U.S. gov’t unveils sanctions, charges, bounties on Iranian ransomware actors (The Record by Recorded Future) The U.S. government unveiled a slate of sanctions, charges and bounties related to a group of Iranian nationals accused of launching ransomware attacks in the U.S. and abroad.

EU Proposes Strict Cybersecurity Rules for Digital-Product Makers (Wall Street Journal) Security guarantees and five years of patches would be required for a range of products, from home appliances and connected toys to computers and software, under European Union plan.

Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (The White House) The Federal Government relies on information and communications technology (ICT) products and services to carry out critical functions. The global supply chain for these technologies faces relentless threats from nation state and criminal actors seeking to steal sensitive information and intellectual property, compromise the integrity of Government systems, and conduct other acts that impact the United States Government’s ability to safely and reliably provide services to the public.

Enhancing the Security of the Software Supply Chain to Deliver a Secure Government Experience (The White House) By Chris DeRusha, Federal Chief Information Security Officer and Deputy National Cyber Director The Biden-Harris Administration is committed to delivering a Government that works for all Americans – and technology powers our ability to do so. In order for Federal agencies to provide critical services, information, and products to the American people, they need access…

White House releases post-SolarWinds federal software security requirements (Federal News Network) OMB wants to avoid a future SolarWinds by requiring federal software vendors to self-certify that they’re following secure development practices.

Senate committee advances Fick nomination as State Department’s top cyber diplomat (The Record by Recorded Future) The Senate Foreign Relations Committee on Wednesday advanced President Joe Biden’s pick to be the country’s first cyber ambassador in a bipartisan voice vote.

Disinformation via text message is a problem with few answers (NBC News) While there’s now a cottage industry and federal agencies that target election disinformation when it’s on social media, there’s no comparable effort for texts.

California governor signs law requiring social networks to post moderation rules (The Verge) It’s one of several California social media regulations.

Air and Space Forces raise bonus amounts for technically trained cyber troops (Stars and Stripes) The Air Force and Space Force are prepared to pay a premium to keep their cyber-trained professionals wearing blue, according to the updated list of bonus-eligible career fields.