Tag: Hackers

Clop Claims Zero-Day Attacks Against 130 Organizations

Russia-linked ransomware gang Clop has claimed that it has attacked over 130 organizations since late January, using a zero-day vulnerability in the GoAnywhere MFT secure file transfer tool, and was successful in stealing data from those organizations. The vulnerability is CVE-2023-0669, which allows attackers to execute remote code execution.

The manufacturer of GoAnywhere MFT notified customers of the vulnerability on February 1, 2023, and issued a patch for the vulnerability on February 7, 2023.

HC3 issued an alert on February 22, 2023, warning the health care sector about Clop targeting healthcare organizations and recommended:

  • Educate and train staff to reduce the risk of social engineering attacks via email and network access.
  • Assess enterprise risk against all potential vulnerabilities and prioritize implementing the security plan with the necessary budget, staff, and tools.
  • Develop a cybersecurity roadmap that everyone in the healthcare organization understands.

Security professionals are recommending that information technology professionals update machines to the latest GoAnywhere version and “stop exposing port 8000 (the internet location of the GoAnywhere MFT admin panel).”

Article By Linn F. Freedman of Robinson & Cole LLP

For more cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2023 Robinson & Cole LLP. All rights reserved.

Privacy Tip #358 – Bank Failures Give Hackers New Strategy for Attacks

Hackers are always looking for the next opportunity to launch attacks against unsuspecting victims. According to Cybersecurity Diveresearchers at Proofpoint recently observed “a phishing campaign designed to exploit the banking crisis with messages impersonating several cryptocurrencies.”

According to Cybersecurity Dive, cybersecurity firm Arctic Wolf has observed “an uptick in newly registered domains related to SVB since federal regulators took over the bank’s deposits…” and “expects some of those domains to serve as a hub for phishing attacks.”

This is the modus operandi of hackers. They use times of crises, when victims are vulnerable, to launch attacks. Phishing campaigns continue to be one of the top risks to organizations, and following the recent bank failures, everyone should be extra vigilant of urgent financial requests and emails spoofing financial institutions, and take additional measures, through multiple levels of authorization, when conducting financial transactions.

We anticipate increased activity following these recent financial failures attacking individuals and organizations. Communicating the increased risk to employees may be worth consideration.

Article By Linn F. Freedman of Robinson & Cole LLP

For more communications, media, and internet legal news, click here to visit the National Law Review.

Copyright © 2023 Robinson & Cole LLP. All rights reserved.

Another Lesson for Higher Education Institutions about the Importance of Cybersecurity Investment

Key Takeaway

A Massachusetts class action claim underscores that institutions of higher education will continue to be targets for cybercriminals – and class action plaintiffs know it.

Background

On January 4, 2023, in Jackson v. Suffolk University, No. 23-cv-10019, Jackson (Plaintiff) filed a proposed class action lawsuit in the U.S. District Court for the District of Massachusetts against her alma matter, Suffolk University (Suffolk), arising from a data breach affecting thousands of current and former Suffolk students.

The complaint alleges that an unauthorized party gained access to Suffolk’s computer network on or about July 9, 2022.  After learning of the unauthorized access, Suffolk engaged cybersecurity experts to assist in an investigation. Suffolk completed the investigation on November 14, 2022.  The investigation concluded that an unauthorized third party gained access to and/or exfiltrated files containing personally identifiable information (PII) for students who enrolled after 2002.

The complaint further alleges that the PII exposed in the data breach included students’ full names, Social Security Numbers, Driver License numbers, state identification numbers, financial account information, and Protected Health Information.  While Suffolk did not release the total number of students affected by the data breach, the complaint alleges that approximately 36,000 Massachusetts residents were affected.  No information was provided about affected out-of-state residents.

Colleges and Universities are Prime Targets for Cybercriminals

Unfortunately, Suffolk’s data breach is not an outlier.  Colleges and universities present a wealth of opportunities for cyber criminals because they house massive amounts of sensitive data, including employee and student personal and financial information, medical records, and confidential and proprietary data.  Given how stolen data can be sold through open and anonymous forums on the Dark Web, colleges and universities will continue to remain prime targets for cybercriminals.

Recognizing this, the FBI issued a warning for higher education institutions in March 2021, informing them that cybercriminals have been targeting institutions of higher education with ransomware attacks.  In May 2022, the FBI issued a second alert, warning that cyber bad actors continue to conduct attacks against colleges and universities.

Suffolk Allegedly Breached Data Protection Duty

In the complaint, Plaintiff alleges that Suffolk did not follow industry and government guidelines to protect student PII.  In particular, Plaintiff alleges that Suffolk’s failure to protect student PII is prohibited by the Federal Trade Commission Act, 15 U.S.C.A. § 45 and that Suffolk failed to comply with the Financial Privacy Rule of the Gramm-Leach-Bliley Act (GLBA),  15 U.S.C.A. § 6801.  Further, the suit alleges that Suffolk violated the Massachusetts Right to Privacy Law, Mass. Gen. Laws Ann. ch. 214, § 1B, as well as its common law duties.

How Much Cybersecurity is Enough?

To mitigate cyber risk, colleges and university must not only follow applicable government guidelines but also  consider following industry best practices to protect student PII.

In particular, GLBA requires a covered organization to designate a qualified individual to oversee its information security program and conduct risk assessments that continually assess internal and external risks to the security, confidentiality and integrity of personal information.  After the risk assessment, the organization must address the identified risks and document the specific safeguards intended to address those risks.  See 16 CFR § 314.4.  

Suffolk, as well as other colleges and universities, may also want to look to Massachusetts law for guidance about how to further invest in its cybersecurity program.  Massachusetts was an early leader among U.S. states when, in 2007, it enacted the “Regulations to safeguard personal information of commonwealth residents” (Mass. Gen. Laws ch. 93H § 2) (Data Security Law).  The Data Security Law – still among the most prescriptive general data security state law – sets forth a list of minimum requirements that, while not specific to colleges and universities, serves as a good cybersecurity checklist for all organizations:

  1. Designation of one or more employees responsible for the WISP.
  2. Assessments of risks to the security, confidentiality and/or integrity of organizational Information and the effectiveness of the current safeguards for limiting those risks, including ongoing employee and independent contractor training, compliance with the WISP and tools for detecting and preventing security system failures.
  3. Employee security policies relating to protection of organizational Information outside of business premises.
  4. Disciplinary measures for violations of the WISP and related policies.
  5. Access control measures that prevent terminated employees from accessing organizational Information.
  6. Management of service providers that access organizational Information as part of providing services directly to the organization, including retaining service providers capable of protecting organizational Information consistent with the Data Security Regulations and other applicable laws and requiring service providers by contract to implement and maintain appropriate measures to protect organizational Information.
  7. Physical access restrictions for records containing organizational Information and storage of those records in locked facilities, storage areas or containers.
  8. Regular monitoring of the WISP to ensure that it is preventing unauthorized access to or use of organizational Information and upgrading the WISP as necessary to limit risks.
  9. Review the WISP at least annually or more often if business practices that relate to the protection of organizational Information materially change.
  10. Documentation of responsive actions taken in connection with any “breach of security” and mandatory post-incident review of those actions to evaluate the need for changes to business practices relating to protection of organizational Information.

An organization not implementing any of these controls should consider documenting the decision-making process as a defensive measure.  In implementing these requirements and recommendations, colleges and universities can best position themselves to thwart cybercriminals and plaintiffs alike.

Article By Ericka A. Johnson and Julia B. Jacobson of Squire Patton Boggs (US) LLP

For more cybersecurity and data privacy legal news, click here to visit the National Law Review.

© Copyright 2023 Squire Patton Boggs (US) LLP

Ankura CTIX FLASH Update – December 13, 2022

Malware Activity

Uber Discloses New Data Breach Related to Third-Party Vendor

Uber has disclosed a new data breach that is related to the security breach of Teqtivity, a third-party vendor that Uber uses for asset management and tracking services. A threat actor named “UberLeaks” began leaking allegedly stolen data from Uber and Uber Eats on December 10, 2022, on a hacking forum. The exposed data includes Windows domain login names and email addresses, corporate reports, IT asset management information, data destruction reports, multiple archives of apparent source code associated with mobile device management (MDM) platforms, and more. One document in particular contained over 77,000 Uber employee email addresses and Windows Active Directory information. UberLeaks posted the alleged stolen information in four (4) separate postings regarding Uber MDM, Uber Eats MDM, Teqtivity MDM, and TripActions MDM platforms. The actor included one (1) member of the Lapsus$ threat group in each post, but Uber confirmed that Lapsus$ is not related to this December breach despite being previously linked to the company’s cyberattack in September 2022. Uber confirmed that this breach is not related to the security incident that took place in September and that the code identified is not owned by Uber. Teqtivity published a data breach notification on December 12, 2022, that stated the company is aware of “customer data that was compromised due to unauthorized access to our systems by a malicious third party” and that the third-party obtained access to its AWS backup server that housed company code and data files. Teqtivity also noted that its ongoing investigation identified the following exposed information: first name, last name, work email address, work location details, device serial number, device make, device model, and technical specs. The company confirmed that home address, banking information, and government identification numbers are not collected or retained. Uber and Teqtivity are both in the midst of ongoing investigations into this data breach. CTIX analysts will provide updates on the matter once available.

Threat Actor Activity

PLAY Ransomware Claims Responsibility for Antwerp Cyberattack

After last week’s ransomware attack on the city of Antwerp, a threat organization has claimed responsibility and has begun making demands. The threat group, tracked as PLAY ransomware, is an up-and-coming ransomware operation that has been posting leaked information since November 2022, according to an available posting on their leak site. Samples of the threat group’s ransomware variants have shown activity dating back to June 2022, which is around the time PLAY ransomware targeted the Argentina Court of Cordoba (August). While PLAY’s ransomware attack crippled several sectors of Antwerp, it appears to have had a significant impact on residential facilities throughout the city, as stated by officials. According to PLAY NEWS, PLAY’s ransomware leak site, the publication date for the exfiltrated data is Monday, December 19, 2022, if the undisclosed ransom is not paid. PLAY threat actors claim to have 557 gigabytes (GB) worth of Antwerp-related data including but not limited to personal identifiable information, passports, identification cards, and financial documents. CTIX continues to monitor the developing situation and will provide additional updates as more information is released.

Vulnerabilities

Fortinet Patches Critical RCE Vulnerability in FortiOS SSL-VPN Products

After observing active exploitation attempts in-the-wild, the network security solutions manufacturer Fortinet has patched a critical vulnerability affecting their FortiOS SSL-VPN products. The flaw, tracked as CVE-2022-42475, was given a CVSS score of 9.3/10 and is a heap-based buffer overflow, which could allow unauthenticated attackers to perform arbitrary remote code execution (RCE) if successfully exploited. Specifically, the vulnerability exists within the FortiOS sslvpnd product, which enables individual users to safely access an organization’s network, client-server applications, and internal network utilities and directories without the need for specialized software. The vulnerability was first discovered by researchers from the French cybersecurity firm Olympe Cyberdefense who warned users to monitor their logs for suspicious activity until a patch was released. Although very few technical details about the exploitation have been divulged, Fortinet did share lists of suspicious artifacts and IPs. Based on research by Ankura CTIX analysts, the IPs released by Fortinet are located around the globe and are not associated with known threat actors at this time. To prevent exploitation, all Fortinet administrators leveraging FortiOS sslvpnd should ensure that they download and install the latest patch. If organizations cannot immediately patch their systems due to the business interruption it would cause, Olympe Cyberdefense suggests “customers monitor logs, disable the VPN-SSL functionality, and create access rules to limit connections from specific IP addresses.” A list of the affected products and their solutions, as well as the indicators of compromise can be found in the Fortinet advisory linked below.

The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. 

Article By Ankura Cyber Threat Investigations and Expert Services

For more cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022 Ankura Consulting Group, LLC. All rights reserved.

Cyber Incident Reporting for Critical Infrastructure Act

On September 12, 2022, the Cybersecurity and Infrastructure Security Agency (“CISA”) released a Request for Information (“RFI”) seeking public input regarding the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The public comment period will close on November 14th, 2022. The RFI provides a “non-exhaustive” list of topics on which CISA seeks public input, including:

  • Definitions and criteria of various terms, such as “covered entity,” “covered cyber incident,” “substantial cyber incident,” “ransom payment,” “ransom attack,” “supply chain compromise” and “reasonable belief;”
  • Content of reports on covered cyber incidents and the submission process (e.g., how entities should submit reports, report timing requirements, and which federal entities should receive reports;
  • Any conflict with existing or proposed federal or state cyber incident reporting requirements;
  • The expected time and costs associated with reporting requirements; and
  • Common best practices governing the sharing of information related to security vulnerabilities in the U.S. and internationally.

In March 2022, President Biden signed CIRCIA into law. CIRCIA creates legal protections and provides guidance to companies that operate in critical infrastructure sectors, including a requirement to report cyber incidents within 72 hours, and report ransom payments within 24 hours. The CISA website features more information about the law, the RFI, and a list of public listening sessions with CISA to provide input.

Article By Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

For more privacy and cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Hackers Caused a Traffic Jam in Moscow

Hackers caused a massive traffic jam in Moscow by exploiting the ride-sharing app Yandex Taxi and using it to summon dozens of taxis to a single location. While Yandex has not confirmed the attacker’s identity, the hacktivist group Anonymous claimed responsibility on Twitter. The group has been actively taking aim at Russian targets in response to the Russian Federation’s ongoing invasion of Ukraine.

Yandex claims that it has implemented new algorithms to detect this type of attack in the future and will compensate the affected drivers.

This traffic jam is a new application of an old hacktivist tactic: flood the system to make it unusable. Other techniques in this vein include blackouts (which target fax machines) and distributed denial of service (which targets websites and networks). No word yet on whether this new rideshare jam exploit will merit a snappy title.

Blair Robinson contributed to this article. 

For more Global Law news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

Acronis Reports Ransomware Damages Will Exceed $30B by 2023

In its Mid-Year Cyberthreat Report published on August 24, 2022, cybersecurity firm Acronis reports that ransomware continues to plague businesses and governmental agencies, primarily through phishing campaigns.

According to the report over 600 malicious email campaigns were launched in the first half of 2022, with the goal of stealing credentials to launch ransomware attacks. Other attack vectors included vulnerabilities to cloud-based networks, targeting unpatched or software vulnerabilities, and cryptocurrency and decentralized finance systems.

According to Acronis, “ransomware is worsening, even more so than we predicted.” It estimates that global damages related to ransomware attacks will top $30 billion by 2023.

Article By Linn F. Freedman of Robinson & Cole LLP

For more cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

A Rule 37 Refresher – As Applied to a Ransomware Attack

Federal Rule of Civil Procedure 37(e) (“Rule 37”) was completely rewritten in the 2015 amendments.  Before the 2015 amendments, the standard was that a party could not generally be sanctioned for data loss as a result of the routine, good faith operation of its system. That rule didn’t really capture the reality of all of the potential scenarios related to data issues nor did it provide the requisite guidance to attorneys and parties.

The new rule added a dimension of reasonableness to preservation and a roadmap for analysis.  The first guidepost is whether the information should have been preserved. This rule is based upon the common law duty to preserve when litigation is likely. The next guidepost is whether the data loss resulted from a failure to take reasonable steps to preserve. The final guidepost is whether or not the lost data can be restored or replaced through additional discovery.  If there is data that should have been preserved, that was lost because of failure to preserve, and that can’t be replicated, then the court has two additional decisions to make: (1) was there prejudice to another party from the loss OR (2) was there an intent to deprive another party of the information.  If the former, the court may only impose measures “no greater than necessary” to cure the prejudice.  If the latter, the court may take a variety of extreme measures, including dismissal of the action. An important distinction was created in the rule between negligence and intention.

So how does a ransomware attack fit into the new analytical framework? A Special Master in MasterObjects, Inc. v. Amazon.com (U.S. Dist. Court, Northern District of California, March 13, 2022) analyzed Rule 37 in the context of a ransomware attack. MasterObjects was the victim of a well-documented ransomware attack, which precluded the companies access to data prior to 2016. The Special Master considered the declaration from MasterObjects which explained that, despite using state of the art cybersecurity protections, the firm was attacked by hackers in December 2020.  The hack rendered all the files/mailboxes inaccessible without a recovery key set by the attackers.  The hackers demanded a ransom and the company contacted the FBI.  Both the FBI and insurer advised them not to pay the ransom. Despite spending hundreds of hours attempting to restore the data, everything prior to 2016 was inaccessible.

Applying Rule 37, the Special Master stated that, at the outset, there is no evidence that any electronically stored information was “lost.”  The data still exists and, while access has been blocked, it can be accessed in the future if a key is provided or a technological work-around is discovered.

Even if a denial of access is construed to be a “loss,” the Special Master found no evidence in this record that the loss occurred because MasterObjects failed to take reasonable steps to preserve it. This step of the analysis, “failure to take reasonable steps to preserve,” is a “critical, basic element” to prove spoliation.

On the issue of prejudice, Amazon argued that “we can’t know what we don’t know” (related to missing documents).  The Special Master did not find Amazon’s argument persuasive. The Special Master concluded that Amazon’s argument cannot survive the adoption of Rule 37(e). “The rule requires affirmative proof of prejudice in the specific destruction at issue.”

Takeaways:

  1. If you are in a spoliation dispute, make sure you have the experts and evidence to prove or defend your case.

  2. When you are trying to prove spoliation, know the new test and apply it in your analysis (the Special Master noted that Amazon did not reference Rule 37 in its briefing).

  3. As a business owner, when it comes to cybersecurity, you must take reasonable and defensible efforts to protect your data.

Article By Gretchen E. Moore of Strassburger McKenna Gutnick & Gefsky

For more cybersecurity and media legal news, click here to visit the National Law Review.

©2022 Strassburger McKenna Gutnick & Gefsky

Chinese APT41 Attacking State Networks

Although we are receiving frequent alerts from CISA and the FBI about the potential for increased cyber threats coming out of Russia, China continues its cyber threat activity through APT41, which has been linked to China’s Ministry of State Security. According to Mandiant, APT41 has launched a “deliberate campaign targeting U.S. state governments” and has successfully attacked at least six state government networks by exploiting various vulnerabilities, including Log4j.

According to Mandiant, although the Chinese-based hackers are kicked out of state government networks, they repeat the attack weeks later and keep trying to get in to the same networks via different vulnerabilities (a “re-compromise”). One such successful vulnerability that was utilized is the USAHerds zero-day vulnerability, which is a software that state agriculture agencies use to monitor livestock. When the intruders are successful in using the USAHerds vulnerability to get in to the network, they can then leverage the intrusion to migrate to other parts of the network to access and steal information, including personal information.

Mandiant’s outlook on these attacks is sobering:

“APT41’s recent activity against U.S. state governments consists of significant new capabilities, from new attack vectors to post-compromise tools and techniques. APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability. The group also demonstrates a willingness to retool and deploy capabilities through new attack vectors as opposed to holding onto them for future use. APT41 exploiting Log4J in close proximity to the USAHerds campaign showed the group’s flexibility to continue targeting U.S state governments through both cultivated and co-opted attack vectors. Through all the new, some things remain unchanged: APT41 continues to be undeterred by the U.S. Department of Justice (DOJ) indictment in September 2020.

Both Russia and China continue to conduct cyber-attacks against both private and public networks in the U.S. and there is no indication that the attacks will subside anytime soon.

Article By Linn F. Freedman of Robinson & Cole LLP

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

Patch Up – Log4j and How to Avoid a Cybercrime Christmas

A vulnerability so dangerous that Cybersecurity and Infrastructure (CISA) Director Jen Easterly called it “one of the most serious [she’s] seen in [her] entire career, if not the most serious” arrived just in time for the holidays. On December 10, 2021, CISA and the director of cybersecurity at the National Security Agency (NSA) began alerting the public of a critical vulnerability within the Apache Log4j Java logging framework. Civilian government agencies have been instructed to mitigate against the vulnerability by Christmas Eve, and companies should follow suit.

The Log4j vulnerability allows threat actors to remotely execute code both on-premises and within cloud-based application servers, thereby obtaining control of the impacted servers. CISA expects the vulnerability to affect hundreds of millions of devices. This is a widespread critical vulnerability and companies should quickly assess whether, and to what extent, they or their service providers are using Log4j.

Immediate Recommendations

  • Immediately upgrade all versions of Apache Log4j to 2.15.0.
  • Ask your service providers whether their products or environment use Log4j, and if so, whether they have patched to the latest version. Helpfully, CISA sponsors a community-sourced GitHub repository with a list of software related to the vulnerability as a reference guide.
  • Confirm your security operations are monitoring internet-facing systems for indicators of compromise.
  • Review your incident response plan and ensure all response team information is up to date.
  • If your company is involved in an acquisition, discuss the security steps taken within the target company to address the Log4j vulnerability.

The versatility of this vulnerability has already attracted the attention of malicious nation-state actors. For example, government-affiliated cybercriminals in Iran and China have a “wish list” (no holiday pun intended) of entities that they are aggressively targeting with the Log4j vulnerability. Due to this malicious nation-state activity, if your company experiences a ransomware attack related to the Log4j vulnerability, it is particularly important to pay attention to potential sanctions-related issues.

Companies with additional questions about the Log4j vulnerability and its potential impact on technical threats and potential regulatory scrutiny or commercial liability are encouraged to contact counsel.

Article By Philip J. Bezanson, Brittney E. Justice, Claire E. Cahoon, and Seth D. DuCharme of Bracewell LLP

For more cybersecurity legal news, click here to visit the National Law Review.

© 2021 Bracewell LLP