Another Cybersecurity Firm Hit with Attack by “Highly Sophisticated” Hackers

Posted on January 28, 2021 by BeAware4lways

Cybersecurity firm SonicWall Inc. is investigating an attack on its internal systems that it describes as “highly sophisticated.” According to SonicWall, the investigation is centered around its Secure Mobile Access 100 series, which assists with end-to-end secure remote access.

The company said that a few thousand devices have been impacted and that it is trying to determine whether the attackers exploited a zero-day vulnerability in the SMA 100 series product.

Although it sounds very similar to the recent SolarWinds cyber-attack, it is presently unknown whether this incident is related to that attack or if it was caused by the Russian-based attackers behind the SolarWinds incident.

It is clear that cybersecurity firms are being heavily targeted by cyber-attackers and are not immune from the onslaught of cyber-attacks we are seeing across the board in every industry. It also emphasizes the fact that there is no ability to completely transfer cyber risk. Data security is a team sport. Reasonable cyber-hygiene inside your organization, while using outside tools to augment your security posture, are both ways to minimize risk, but hackers are using more and more sophistication in their attacks, which present risk internally and externally. What is crystal clear from these attacks on cybersecurity firms is that cybersecurity and vendor management must continue to be a high priority for organizations in order to manage cyber risk.

Marriott Wins CCPA Data Breach Lawsuit

Posted on January 21, 2021 by BeAware4lways

Marriott recently won dismissal of a proposed class action data breach lawsuit alleging several violations, including a violation of the California Consumer Privacy Act (CCPA). The case, Arifur Rahman v. Marriott International, Inc. et al., Case No.: 8:20-cv-00654, was dismissed in an Order by U.S. District Court Judge David O. Carter on January 12, 2021.

The Plaintiff in the lawsuit alleged that he was a member of a “class that were victims of a cybersecurity breach at Marriott when to employees of a Marriott franchise in Russia accessed class members’ names, addresses, phone numbers, email addresses, genders, birth dates, and loyalty account numbers without authorization.” Marriott admitted there was a breach, sent letters to affected individuals, and confirmed that no sensitive information, such as social security numbers, credit card information, or passwords, was compromised.

The matter was dismissed, as the Court found that it lacked subject matter jurisdiction as the Plaintiff lacked standing to sue. The Court was clear that in the 9^th Circuit, the sensitivity of the personal information, combined with its theft, are prerequisites to finding that plaintiffs alleged injury in fact. Injury in fact is one of the three elements necessary to support Article III standing.

The data breach in this case affected approximately 5.2 million Marriott customers, but the information accessed by hackers was not “sensitive information,” which was a required element to be able to continue the lawsuit.

Privacy Tip #268 – Changing Your Router Password

Posted on January 21, 2021 by BeAware4lways

Following Ubiquiti’s security incident and its subsequent recommendation to change your router password and enable multi-factor authentication, and the fact that it is widely reported that using default passwords on routers while working from home is a security risk, we thought it would be helpful to remind you to change your router password sooner rather than later.

Security experts have warned us for years that our wireless routers are an easy gateway for hackers to get into our systems, and that the manufacturer’s default passwords on routers are freely accessible on the Internet. Therefore, it is important to change your router’s password to a unique security password from the default password when you set up your router.

To assist, Lifewire has a tutorial that is easy to follow and can be accessed here.

Please note Lifewire’s caution of not using the same password for your router as you do for your WiFi. They should be separate and distinct from each other. Limiting access to your WiFi is also important for data security.

While it looks like the work from-home model will continue, implementing these security measures is important for the protection of our data on both personal and professional levels.

Cyber Intelligence Facility in Port of Los Angeles to Thwart Maritime Threats

Posted on January 7, 2021 by BeAware4lways

The maritime industry is an enticing target for hackers. The Port of Los Angeles (the Port) alone facilitated about $276 billion in trade last year, and the International Chamber of Shipping estimated that the total value of world shipping was around $14 trillion in 2019. The Port has plans to construct a multi-million-dollar cyber intelligence facility as a hub for information sharing between the public and private sectors to thwart the increasing attacks on the maritime and logistics industries. This facility, the Cyber Resilience Center, is one of the first of its type to be built in the United States. The Port’s Executive Director, Gene Seroka, said, “What we’ve noticed over time is that the potential penetrations and cyber threats have grown each and every year,” including incidents like the 2017 NotPetya attacks that affected shipping lines, the 2018 ransomware targeting of the Port of Long Beach, and the October 2020 ransomware attack on CMA CGM S.A., a French transportation and container shipping company. Seroka said that as the threat become more evident, the Port “needed to find a way to bring the private sector into this space as well.” The Cyber Resilience Center is expected to go live by the end of 2021. Participants in this information exchange will be able to share information anonymously through the platform, which will standardize data from different companies’ cybersecurity tools. The Port’s Chief Information Officer will lead the project, which will operate alongside the Port’s cybersecurity operations center.

Seroka said that he hopes the Cyber Resilience Center will be a model for other large ports across the United States since information-sharing is such a vital defensive tool. As the shipping industry becomes even more digitized, cyber threats will require facilities such as ports to prioritize set data standards, business rules and open architecture for facilitating information sharing in a secure, protected manner.

Proposed New Breach Notification Rule for the Banking Industry

Posted on January 7, 2021 by BeAware4lways

The Office of the Comptroller of the Currency, Treasury (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) recently announced a “Notice of Proposed Rulemaking for the Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers.” This new rule would require a banking organization to provide prompt notification to its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident” no later than 36 hours after the banking organization believes in good faith that a notification incident has occurred. According to the information released jointly by the agencies, they anticipate that a banking organization would take a reasonable amount of time to determine that it has experienced a notification incident. Notification would be required only after that determination was made.

The proposed rule defines both a “computer-security incident” and a “notification incident.” Notification incidents trigger the notice to federal regulators. Some examples of notification incidents include large scale outages denial of service attacks that disrupt service for more than four hours, widespread system outages caused by service providers of its core banking platform, hacking and malware that causes widespread outages, system failures that result in the activation of a disaster recovery plan, and a ransomware attack that encrypts a core banking system or backup data.

In their notice, the agencies state that it is important that the primary federal regulator of a banking organization be notified as soon as possible of a significant computer-security incident that could jeopardize the viability of the operations of an individual banking organization, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector.

The proposed rule would apply to the following banking organizations: national banks, federal savings associations, and federal branches and agencies; U.S. bank holding companies and savings and loan holding companies, state member banks, and the U.S. operations of foreign banking organizations; and all insured state nonmember banks, insured state-licensed branches of foreign banks, and state savings associations.

The agencies are seeking public comment on all aspects of the proposal including 16 specific questions related to the proposal. Comments must be received within 90 days of publication of the proposed rules in the Federal Register.

Home Depot Settles Data Breach Multi-state Enforcement Action for $17.5 Million

Posted on November 25, 2020 by BeAware4lways

Home Depot has agreed to settle a multi-state enforcement action by 46 U.S. states and Washington, D.C. arising from the data breach that occurred in 2014. Home Depot has agreed to pay $17.5 million to put the enforcement action behind it. The investigation was led by the Attorneys General of Connecticut, Illinois and Texas.

The multi-state investigation followed Home Depot’s data breach that affected 40 million customers who used self-checkout terminals in its U.S. and Canadian stores between April 10, 2014, and September 13, 2014. According to the investigation, hackers used a vendor’s username and password to infiltrate Home Depot’s network and deployed malware to access the customers’ payment card information. In addition to the credit card information, at least 52 million people’s email addresses were exposed.

In announcing the settlement, Connecticut Atty. Gen. William Tong stated that companies collecting sensitive personal information “have an obligation to protect information from unlawful use or disclosure… Home Depot failed to take those precautions.” In addition to the monetary settlement, Home Depot has agreed to hire a Chief Information Security Officer, upgrade its security procedures and provide employee training. Home Depot denies liability in the matter.

New York Department of Financial Services Issues Report on Recent Twitter Hack

Posted on October 22, 2020 by BeAware4lways

You probably heard about the recent hack of Twitter accounts that took place on July 15, 2020. The hackers took over several prominent Twitter accounts, which resulted in a scam that netted over $118,000 in bitcoin for the hackers. One of the most startling things about the cyberattack was that it was led by a 17-year-old along with his accomplices. The hackers took over the accounts of well-known individuals including Barack Obama, Kim Kardashian West, Kanye West, Bill Gates, Elon Musk and many others, and tweeted a “double your bitcoin scam” from these Twitter accounts directing people to send bitcoin to fraudulent accounts.

The New York Department of Financial Services (NYDFS) issued a detailed report last week regarding this hack into the social media giant. The report found that “the Twitter Hack happened in three phases: (1) social engineering attacks to gain access to Twitter’s network; (2) taking over accounts with desirable usernames (or “handles”) and selling access to them; and (3) taking over dozens of high-profile Twitter accounts and trying to trick people into sending the Hackers bitcoin. All this happened in roughly 24 hours.”

How did the hackers do it? According to the report, the first phase of the attack started with the hackers stealing credentials of Twitter employees the old-fashioned way by using social engineering. The hackers posed as Twitter IT employees and contacted several Twitter employees claiming there was a problem with Twitter’s Virtual Private Network (VPN). The report stated that the “hackers claimed they were responding to a reported problem the employee was having with Twitter’s Virtual Private Network (VPN). Since switching to remote working, VPN problems were common at Twitter. The Hackers then tried to direct the employee to a phishing website that looked identical to the legitimate Twitter VPN website and was hosted by a similarly named domain. As the employee entered their credentials into the phishing website, the Hackers would simultaneously enter the information into the real Twitter website. This false log-in generated an MFA [multi-factor authentication] notification requesting that the employees authenticate themselves, which some of the employees did.”

The hackers then went surfing within the Twitter system looking for employees with access to internal tools to take over accounts. This led to the second phase of the attack: taking over and selling access to original gangster (OG) Twitter accounts. According to the report, an OG Twitter account refers to accounts designated by a single word, letter, or number and adopted by Twitter’s early users. The hackers discussed taking over and selling the OG accounts in various online chat messages. On July 15, the hackers “ hijacked multiple OG Twitter accounts and tweeted screenshots of one of the internal tools from some of the accounts to the accounts’ respective followers.

The final phase of the hack involved taking over various cryptocurrency company accounts and directing users to a link to a scam bitcoin address. According to a tweet sent out by Twitter on July 16, approximately 130 accounts of high-profile verified users (those Twitter accounts that you see with the blue check mark) were taken over by the hackers with tweets asking people to send bitcoin, with the promise that the high-profile user would double the amount to be given to a charity. The bitcoin address was fraudulent, the tweets were not sent by the actual users, and the hackers were able to collect more than $118,000 in bitcoin.

The NYDFS began its investigation because the cryptocurrency companies are regulated entities. According to the report, the department instructed the cryptocurrency companies to block the hackers’ bitcoin addresses if they hadn’t already done so. This move prevented over a million dollars’ worth of fraudulent bitcoin transfers.

We write all the time about the critical importance of cybersecurity practices and protocols such as multifactor authentication, employee training regarding phishing, and using secure passwords. The general consensus appears to be that the Twitter hack was not a sophisticated one, but that the hackers knew what they were after and knew how to accomplish their goal. The NYDFS report stated that “the Twitter Hack is a cautionary tale about the extraordinary damage that can be caused even by unsophisticated cybercriminals. The Hackers’ success was due in large part to weaknesses in Twitter’s internal cybersecurity protocols.”

Privacy Tip #256 – COVID-19 Scams Continue to Plague U.S. Public

Posted on October 22, 2020 by BeAware4lways

It has been widely reported that hackers are taking advantage of the pandemic to perpetrate scams and frauds. We have seen attacks against workers of companies through phishing emails that include an attachment or link offering information or access to specialized treatment for COVID-19 to lure people to click on them. Once they click on the link or attachment, the attacker infects the system with malware or ransomware. Cyber criminals know that people are concerned about the coronavirus and looking for more information to protect themselves and their family members, and they also are preying on the distraction of working from home.

It has become such a problem that the Department of Justice (DOJ) instructed the National Center for Disaster Fraud (NCDF) to gather coronavirus-related complaints from the public and assist with information sharing about scams. The NCDF has received more than 76,000 tips on COVID-19 related wrongdoing, and the FBI’s Internet Crime Complaint Center has received more than 20,000 tips about suspicious websites and media postings. This doesn’t include the successful phishing campaigns using COVID-19-related information to trick people into clicking on malicious links or attachments.

The United States Attorney’s Office for the Western District of Louisiana issued a reminder this week for “members of the public to be vigilant against fraudsters who are using the COVID-19 pandemic to exploit American consumers and organizations…In particular, the department is warning the public about scams perpetrated through websites, social media, emails, robocalls, and other means that peddle fake COVID-19 vaccines, tests, treatments, and protective equipment, and also about criminals that fabricate businesses and steal identities in order to defraud federal relief programs and state unemployment programs.”

In addition, the notice states “Moving forward, the department also is concerned about, and will aim to deter and prevent, attempts by wrongdoers to prey upon potential victims by leveraging news about anticipated approval of a COVID-19 vaccine or about the potential enactment of new disaster relief bills that extend or expand upon CARES Act relief.”

The notice is a good reminder to each of us personally as well as employees of the continued threat and to need to remain vigilant to combat these scams. The DOJ “encourages the public to continue to report wrongdoing relating to the pandemic to the NCDF and to remain vigilant against bad actors looking to exploit this national emergency.”

HIPAA Business Associate Pays $2.3 Million Settlement After Hackers Target PHI of Over 6 Million Individuals

Posted on September 30, 2020 by BeAware4lways

Health care providers and contractors continue to be a popular target for hackers. Recently, CHSPSC LLC (CHSPSC), which provides various services to hospitals and clinics indirectly owned by Community Health Systems, Inc. of Tennessee, agreed to pay $2,300,000 to the Office for Civil Rights (OCR) in settlement of potential violations of HIPAA’s Privacy and Security Rules. The OCR investigation and settlement stemmed from a data breach affecting over six million people.

The services provided by CHSPSC to the health care facilities included legal, compliance, accounting, operations, human resources, information technology, and health information management. In April 2014, the FBI notified CHSPSC that a cyber-hacking group had compromised administrative credentials and remotely accessed CHSPSC’s information system through its virtual private network (VPN). Nevertheless, even after the FBI’s notice of the problem, the hackers continued for several months to access and exfiltrate the protected health information (PHI) of some six million individuals. The information obtained included names, gender, dates of birth, phone numbers, Social Security numbers, emails, ethnicity, and emergency contact information.

OCR’s investigation found longstanding systemic noncompliance with HIPAA at CHSPSC, including failure to conduct a risk analysis as well as failures to implement information system activity reviews, security incident procedures, and access controls. OCR was particularly critical of the organization’s failure to implement security protections even after being notified by the FBI of the potential breach. Apart from the significant monetary penalty, CHSPSC must comply with a corrective action plan (CAP) that includes the following: development of an internal monitoring plan; completion of an enterprise-wide risk analysis of security risks and vulnerabilities that incorporates all electronic systems, data systems, programs and applications that involve ePHI; creation of a risk management plan; review and revision of policies regarding technical access to applications and systems involving ePHI; and training for all employees. Each step must meet with the approval of the Department of Health & Human Services (HHS), and CHSPSC must periodically report to HHS regarding its compliance with the CAP.