U.S. intelligence agencies, including the FBI, the Office of the Director of National Intelligence, the National Security Agency and the Cybersecurity and Infrastructure Security Agency, have confirmed that Russia was behind the SolarWinds hack. It is reported that the FBI is investigating whether Russia hacked into project management software JetBrains’ TeamCity DevOps tool to originally plant its malware in SolarWinds Orion, causing a cascade of downstream opportunities for Russia to access numerous governmental agencies’ systems, as well as thousands of private company systems.

In the fall-out, the Department of Justice, which includes the FBI, the Drug Enforcement Agency and the U.S. Marshal’s Service, announced this week that 3 percent of its employees’ emails were compromised as a result of the SolarWinds hack. This is very concerning and shows the magnitude and seriousness of the incident.

In more disturbing news, Microsoft has confirmed that the hackers behind the SolarWinds incident were able to access its systems and that some of its source code was viewed by the hackers. Notably, Microsoft confirmed that the code was not modified and that the Russians did not access its products or services, including customer information.

Cybersecurity firms are offering free solutions for companies to use to identify the SUNBURST malware variant and whether they have been affected, including Palo Alto Networks and SentinelOne.

We will continue to see significant fall-out from this devastating incident. If your company has not assessed its risk of being affected by the SolarWinds hack, you may wish to consider devoting time and resources to help make that determination now

The Office of the Comptroller of the Currency, Treasury (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) recently announced a “Notice of Proposed Rulemaking for the Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers.” This new rule would require a banking organization to provide prompt notification to its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident” no later than 36 hours after the banking organization believes in good faith that a notification incident has occurred.  According to the information released jointly by the agencies, they anticipate that a banking organization would take a reasonable amount of time to determine that it has experienced a notification incident. Notification would be required only after that determination was made.

The proposed rule defines both a “computer-security incident” and a “notification incident.” Notification incidents trigger the notice to federal regulators. Some examples of notification incidents include large scale outages denial of service attacks that disrupt service for more than four hours, widespread system outages caused by service providers of its core banking platform, hacking and malware that causes widespread outages, system failures that result in the activation of a disaster recovery plan, and a ransomware attack that encrypts a core banking system or backup data.

In their notice, the agencies state that it is important that the primary federal regulator of a banking organization be notified as soon as possible of a significant computer-security incident that could jeopardize the viability of the operations of an individual banking organization, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector.

The proposed rule would apply to the following banking organizations: national banks, federal savings associations, and federal branches and agencies; U.S. bank holding companies and savings and loan holding companies, state member banks, and the U.S. operations of foreign banking organizations; and all insured state nonmember banks, insured state-licensed branches of foreign banks, and state savings associations.

The agencies are seeking public comment on all aspects of the proposal including 16 specific questions related to the proposal. Comments must be received within 90 days of publication of the proposed rules in the Federal Register.

2020 will go down as one of the most stressful in my career as a cybersecurity professional. I have been working in this area of law full time since 2003. So that says a lot.

On top of the stress of the spread of the coronavirus, this has been a particularly stressful year assisting clients with security incidents, ransomware extortions, data security in migrating from on premises to work from home, and keeping employees educated and vigilant. Indeed, it has been difficult and exhausting. And I’m just the lawyer.

Your IT professionals have been through HELL this year. They are working beyond capacity, with limited resources, trying to keep organizations safe from highly sophisticated hackers and nation states, including Russia and China. They are doing their very best to find the right tools to keep the bad guys out of networks and systems, at the same time trying to get their users not to click on links, attachments or phishing emails. They are getting attacked from within and without. It is a war for them every day.

Give them some love. A thank you goes a long way. Our IT professionals are losing sleep every night, working long hours, keeping our data safe, and dealing with attacks that you can’t even begin to fathom.

They battle for us in the background, on the front line, and never get any credit for how important their job is to our ability to do our job.

So this holiday season, take a little time and reach out to your IT professionals and say “Thank you.” They deserve a ton of credit and LOVE from all of us.

As the holiday shopping season comes to end, consumers should still be aware that hackers are sending fake delivery notifications appearing to come from companies like FedEx and UPS, especially as the last few days of package arrivals pass by. The hackers’ messages prompt consumers to enter their personal information like credit card information to resolve an issue with package delivery or immediately launch malware or ransomware upon clicking a link. According to a recent CNBC report on this ‘shipageddeon’ launched by hackers, one consumer received an email message appearing to be from UPS informing him that his package could not be delivered. Once he clicked the link provided to solve the issue, his screen started flashing and his computer was encrypted with ransomware requesting 150 bitcoins (or about $66,000). Upon the consumer’s refusal, his computer was wiped clean.

According to the CNBC report, fraudulent delivery messages rose by 440 percent from October to November, according to data from cybersecurity firm Check Point Software Technologies. Overall, fraudulent shipping messages overall rose 72 percent since November 2019. Don’t fall victim to these scams -at a minimum before clicking on a provided link or offering up your personal information make sure that the messages include correct spelling and company logos.

On the heels of the concerning security incident experienced by FireEye [view related post], during the investigation of its own incident, FireEye discovered that multiple updates issued by SolarWinds, a cybersecurity firm that many governmental and private companies use to monitor networks, were “trojanized” and malware was inserted into the updates between March and May of 2020.

The malware allowed Russian operatives to hack into several governmental agencies, including the Departments of Homeland Security (DHS), State, National Institutes of Health, Commerce (National Telecommunications and Information Administration Office) and Treasury. In addition, it is reported that the Departments of Justice and Defense also were customers of SolarWinds. The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to all government agencies to disconnect and stop using SolarWinds.

This compromising situation is obviously concerning for national security, particularly when CISA’s Director Christopher Krebs was recently summarily dismissed and many other top leaders of the organization have departed when we most need strong leadership from the federal agency in charge of cybersecurity.

Unfortunately, the bad news doesn’t stop there. SolarWinds reported to the Securities and Exchange Commission this week that it believes that approximately 18,000 of its private company customers also could be affected by the malware.

Security experts are warning all private companies  to follow the CISA emergency directive to federal agencies and to disconnect and stop using SolarWinds until the details can be sorted out. Sound guidance for companies that use SolarWinds to mitigate risk until more information is available. It is important that executives and IT personnel be in close contact about whether the company uses SolarWinds and heed the CISA emergency directive to disconnect while the effects of the compromise are being determined.

Cyber criminals are taking advantage of the increase in online holiday shopping due to the pandemic. They know people are buying gifts online and sending the packages to the recipients. Often, the recipients do not know they are receiving a gift as it is intended to be a surprise. 

Cyber criminals have stepped up their attempts to infiltrate personal devices and company systems through phishing emails and texts that spoof well-known carriers, such as UPS and FedEx. The email or text looks like a real communication from UPS or FedEx as it includes the company logo and tells the recipient that a package is on its way, but that the user needs to either update their delivery preferences or can check the delivery status by “clicking here.” It’s that “clicking here” instruction that dupes users into clicking on the link (even when they know they shouldn’t), which then infects their device or the system with malware or ransomware. 

We all love to get presents and packages. If you are sending a package or gift to someone, let them know that it is on the way. If you receive a message from a carrier that you weren’t expecting, be cautious and wicked paranoid about clicking on any links or attachments, just as you should with any other suspicious email or text.

The Department of Justice in October announced charges against six men believed to work for the Russian GRU and linked to some of the most sinister cyber attacks of the last decade including the NotPetya malware and attacks on the government of Ukraine. In this podcast we talk to two men who helped build the DOJ’s case: Cisco’s Matt Olney, the Director of Talos Threat Intelligence and Interdiction and Craig Williams, the Talos Director of Outreach about the case against the Russian actors and what companies can do to defend themselves.

The news this week was that FireEye, one of the U.S.’s most prominent cyber security firms, had itself become a victim of a cyber crime. The likely suspects: state-sponsored hackers working on behalf of the Government of Russia.

Now, according to reports, Russian hacking groups may have access to FireEye’s custom “red team” tools for testing client’s defenses or identifying malicious activity. That’s a possible bounty for Russian state-sponsored crews like so-called “Cozy Bear,” or APT 29, which are already among the most feared cyber adversaries in the world.

But just because Russian hacking groups act often act with impunity doesn’t mean they’re invisible – or even unknowable. In fact, it was just a few weeks ago – on October 15 – that the U.S. Justice Department named six officers of Russia’s GRU in connection with a string of high profile hacks and cyber attacks including the NotPetya malware and attacks on the government of Ukraine and on the 2018 PyeongChang Winter Olympic games.

The men were believed to be part of state-sponsored hacking groups with names like “Sandworm Team,” “Telebots,” “Voodoo Bear,” and “Iron Viking,” according to a statement by the DOJ.

How did the U.S. Justice Department follow the tracks from those amorphous attacks to six, Russian men? Our guests this week were among those working behind the scenes to make sense of those attacks and help understand what happened and who was behind them.

Talos had a front row seat in a number of the incidents mentioned in the Department of Justice report, including the NotPetya outbreak , the attacks on Ukraine and the campaign against the 2018 olympics. Craig and Matt joined me in the Security Ledger studio to talk about the DOJ announcement and what goes into the project of identifying and charging foreign hacking groups. We also talk about what it takes to stop and even catch a Russian APT group, and what companies can do to protect themselves from the world’s most elite offensive hackers.

Although it is logical that cyber-attacks have risen during the pandemic, and there is anecdotal evidence that it is occurring, including our own experience, an interesting new report was recently released by Allianz, which provides cyber-liability insurance products.

According to the report, “While the COVID-19 outbreak cannot be said to be a direct cause of cyber-related claims, exposures have been rising during the pandemic, particularly with regards to ransomware and business email compromise incidents, given the increase in remote working and the likelihood that security safeguards may not be as robust in the home office.”

The report analyzes the cause of loss by value of claims and the number of claims, finding 1,736 claims worth $770 million from 2015-2020. The analysis shows that external manipulation of computer systems (i.e., DDOS or phishing/malware/ransomware) is the most expensive, “but the analysis also shows that more mundane technical failures, IT glitches or human error incidents are the most frequent generator of claims.”

The report also states that “Whether it results from an external cyber-attack, human error or a technical failure, business interruption is the main cost driver behind cyber claims. It accounts for around 60% of the value of all claims analyzed with the costs associated with dealing with data breaches ranking second.”

The number one threat cited in the report is “Laxer Security Post COVID-19 Heightens Cyber Risk.” Since the migration to working from home, the report states that “malware and ransomware incidents have already increased by more than a third, at the same time as a 50%+ increase in phishing, scams, and fraud, according to international police body, INTERPOL.”

The report further reinforces the need for companies to address the increased risk that accompanies a remote workforce, employee education and engagement, and providing employees with tools to protect themselves and their employer’s data. As the report aptly states: “Employers and employees must work together to raise awareness and increase cyber resilience in the home office set up.”

The threat-related statistics of malware and ransomware are mind-boggling. We have regularly reported on the dramatic increase of ransomware, but the statistics on successful exploitation and botnet activities are just as bad.

According to Nuspire’s Q3 Threat Landscape Report (www.nuspire.com), based upon its experience over the last three months, there was an increase of 128.21 percent in malware events since Q2.  Even more shocking is that the summary of findings shows that there were 3,646,448 malware events, 30,480,289 exploitation events, and 1,519,869 botnet events.

Just to put that in perspective, there were 1,168 unique malware variants detected, 43,410 malware variants were detected per day, and 303,870 malware variants were detected per week. According to the Report, “The largest contribution to increased activity was Visual Basic for Applications based documents….VBA Agents are a generic type of trojan that utilize Microsoft Office applications such as Microsoft Word and Microsoft Excel. These are often deployed in malspam campaigns and include common lures such as legal documents, invoices or may be themed after prominent media events.”

VBA Agents are used to introduce Emotet, which Nuspire found to have increased between Q2 and Q3. Therefore, “[O]rganizations should be extremely cautious when interacting with email attachments, especially ones from unknown senders and those that contain macros. User awareness training is critical to prevent interaction with these files…”

The statistics are scary and are getting worse. Malware protection and prevention all come down to the same thing: user awareness. One user can click on one malicious phishing email and all safety protocols can be compromised. Users have to understand the increased risk they pose to the company and companies have to provide their users with tools so they don’t become a victim. Let’s make December “User Education and Awareness Month” and get that user education on the books before the end of the year.