To file in the “no one is immune from a sophisticated attack,” category, well-known and respected security firm FireEye publicly announced this week that it has experienced an attack by a state-sponsored (which means a foreign government) hacking group, which successfully obtained its “red team tools.” This is very concerning, as the red team tools include the “special sauce” FireEye uses to test its clients’ security maturity and vulnerabilities, and could be used as a roadmap for adverse nation states to hack into the U.S. government’s or private companies’ systems.

Kudos to FireEye for making this public so the U.S. government, critical infrastructure and private companies can be on the alert for the tools to be used against them. FireEye has stated that it is working on over 300 countermeasures to assist in combatting the use of its proprietary tools by these adverse threat actors.

Unfortunately, this incident is a cold, hard, awful reminder that even the most sophisticated security firm can become the victim of a cyberattack, and since that is the case, all companies are at extreme risk of an attack and exfiltration of data.

FireEye appears poised to assist in combatting the effects of the incident, so keep a close eye on those measures. We will keep you updated as well.

Three recent events are prompting me to update our previous blog post on the difficult decision of whether to pay or not to pay ransomware following an attack [view related post].

The first event is that the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory on October 1, 2020, “to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.” The advisory warns that if a company or a vendor facilitates the payment of a ransom to criminals or adversaries “with a sanctions nexus,” the funds could be used “to fund activities adverse to the national security and foreign policy objectives of the United States.” Therefore, companies or vendors acting on their behalf who pay a ransom to a sanctioned individual or governments are at risk for sanctions under the Financial Crimes Enforcement Network (FinCEN) regulations.

The advisory is a very important consideration to weigh in determining whether or not to pay a ransom for encryption keys or destruction of data. For more on the OFAC Advisory, click here:

The second event was a recent thoughtful analysis on this subject matter by KrebsonSecurity, entitled “Why Paying to Delete Stolen Data is Bonkers.” Referring to a Coveware report, which states that almost half of all ransomware cases include the release of exfiltrated data, Krebs quotes from the Report “Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end.”

Krebs further notes that ransomware victims who pay for the decryption key are relying on hope that the keys will work, which is not always the case.

The final event is that there is growing anecdotal evidence that Ransomware as a Service (RaaS) operators, usually less sophisticated than the big boys, are engaging in double extortion scams against their victims. This means that if you have made the business decision to pay the ransomware for either the decryption keys or the destruction of data, these operators are refusing, after you have agreed to pay a negotiated amount, and they have initially agreed to hold up their part of the bargain, to give you the key or the confirmation of destruction until you pay more ransom. This behavior is certainly inconsistent with the general business plan of ransomware that the attackers will return what has been ransomed after payment, so future victims can be assured that if they pay the ransom, they will get their keys or the data back. This new phenomenon provides a strong argument (in addition to the ones above) to refrain from paying the ransom. They are criminals, after all, and some are more credible and smarter than others. These attackers who engage in double extortion will rapidly get a bad reputation and are shooting themselves in the foot. However, while in the midst of the attack, you just don’t know who you are dealing with, so weighing these risks is challenging at best.

The threat-related statistics of malware and ransomware are mind-boggling. We have regularly reported on the dramatic increase of ransomware, but the statistics on successful exploitation and botnet activities are just as bad.

According to Nuspire’s Q3 Threat Landscape Report (www.nuspire.com), based upon its experience over the last three months, there was an increase of 128.21 percent in malware events since Q2.  Even more shocking is that the summary of findings shows that there were 3,646,448 malware events, 30,480,289 exploitation events, and 1,519,869 botnet events.

Just to put that in perspective, there were 1,168 unique malware variants detected, 43,410 malware variants were detected per day, and 303,870 malware variants were detected per week. According to the Report, “The largest contribution to increased activity was Visual Basic for Applications based documents….VBA Agents are a generic type of trojan that utilize Microsoft Office applications such as Microsoft Word and Microsoft Excel. These are often deployed in malspam campaigns and include common lures such as legal documents, invoices or may be themed after prominent media events.”

VBA Agents are used to introduce Emotet, which Nuspire found to have increased between Q2 and Q3. Therefore, “[O]rganizations should be extremely cautious when interacting with email attachments, especially ones from unknown senders and those that contain macros. User awareness training is critical to prevent interaction with these files…”

The statistics are scary and are getting worse. Malware protection and prevention all come down to the same thing: user awareness. One user can click on one malicious phishing email and all safety protocols can be compromised. Users have to understand the increased risk they pose to the company and companies have to provide their users with tools so they don’t become a victim. Let’s make December “User Education and Awareness Month” and get that user education on the books before the end of the year.

According to Cybersecurity Ventures, cybercrime is the fastest growing crime in the U.S., with damages expected to reach $6 trillion globally by 2021. Therefore, it is axiomatic that C-Suites continue to address the risk associated with cybercrime and how cybercrime will affect the business.

Ransomware continues to be one of the biggest risks to company operations. Statistics show that ransomware attacks are becoming more prolific and expensive. According to the most recent Coveware Q3 Report, ransomware incidents and ransom demands are increasing. Ransomware attacks are leaving a company paralyzed for an average of 19 days.

The inability to conduct business operations for 19 days can be devastating, especially to small and medium-sized businesses. Having an incident response plan, contingent operations plan, and disaster recovery plan is essential to minimizing the risk of failed or stalled operations. Those companies that are prepared for an attack and can implement these plans are better able to respond to a cyber-attack that leaves the company paralyzed.

It is clear that cyber-attacks and cybercrime damages are continuing to soar, particularly while companies’ workforces are working remotely. It is crucial to evaluate and put your incident response, contingent operations and disaster recovery plans in place now.

Although the Presidential race is unconfirmed at the time of this writing, there are several data privacy and security laws to put on your radar following the election this week.

Here is a brief list of laws that passed that we are aware of so far. We will provide more information as news breaks, but in this ever-changing area, we want to alert you to some important changes in the state law landscape following the election.

California’s Prop 24

 This proposition updates California’s CCPA, now referred to as California Privacy Rights Act (CPRA). In addition to other provisions [view related here and here], from a compliance perspective, it establishes a first-of-its-kind enforcement agency, the California Privacy Protection Agency, which will oversee enforcement of CPRA, and further establishes fines and penalties for violation of the law. The law goes into effect on January 1, 2023, for all data that are collected starting on January 1, 2022. Keep this one on your compliance radar and we will update you further.

Maine Approves Referendum on Limiting Use of Facial Recognition Technology 

Maine voters approved Referendum Question B, which strengthens the ban on the use of facial recognition surveillance technology by police and public officials. 

Massachusetts Votes in Favor of Ballot Question 1 

Massachusetts voted in favor of Ballot Question 1, which would require car manufacturers to equip vehicles using telematic systems with an open-access data platform starting with the model year 2022.

A detailed analysis of Ballot Question 1 is here.

Michigan Amends Constitution to Require Warrant for Access to Electronic Data

In Michigan, it appears that voters have approved an amendment to the state constitution to require search warrants for law enforcement to access electronic data and communications. The measure amends that part of the constitution that provides for the protection against unreasonable search and seizure.

Staying abreast of new state laws and regulations is a complex process for those charged with compliance adherence. We will continue to update you on the most significant changes to assist you in your compliance efforts.

It is no longer a matter of if, but when companies that suffer a data breach will be sued in a class action lawsuit following a data breach. Many of those data breach cases get dismissed, as it is difficult for consumers to show they have suffered a compensable harm from a particular data breach.

What is less common is a public company getting hit with a class action lawsuit by investors for securities fraud following a data breach. Several companies have been sued under the theory that since the company failed to protect customer data and made false and misleading statements about the company’s business, operational and financial results, proposed class members of all persons and entities that purchased or acquired shares in the time frame leading up to and following the data breach are entitled to damages, interest, fees and costs.

The common allegations in these cases are that the company issued SEC disclosures and letters to shareholders that the company was doing well, and that it had effective data security measures in place or had improved efforts around data security, when, in fact, the data breach was caused by inadequate data security measures, that the company faced a higher risk of cybersecurity failure because of automation and efficiency initiatives, and therefore, the public statements were materially false and misleading.

When issuing public statements about data security on websites or through letters to investors or in public filings, consideration of how those statements can be used in the wake of a data breach is important. Otherwise, the increase in securities fraud litigation will continue, just as we have experienced with data breach class action litigation.

Binary Check Ad Blocker Security News

Secureworks issues an annual Incident Response Report that is very helpful in obtaining information on what types of incidents are occurring in order to become more resistant to threats. The 2020 IR Report was recently issued, and it contained some conclusions that made sense, while others were surprising.

The Report, entitled Pandemic-Driven Change: The Effect of COVID-19 on Incident Response, recognized that the pandemic has changed the way business is done “with organizations shifting to home-office work styles literally overnight.” Although there was a general assumption that with the transition from work in the office to work from home security incidents would increase, the Secureworks team found that the threat level was unchanged. What changed was the increase in new vulnerabilities that threat attackers took advantage of during the pandemic. According to the Report, “Infrastructure transformed practically overnight for many organizations. A sudden switch to remote work, increased use of cloud services, and increased reliance on personal devices created a significantly expanded attack surface for many enterprises. Facing an urgent need for business continuity, most companies did not have time to put all the necessary protocols, processes, and controls in place.”

In shifting rapidly from the office to workers’ homes, IT professionals were unable to strategize and implement necessary security controls because organizations did not plan for a totally remote workforce. The Report found that companies experienced increased risk in the following areas:

  • Lack of Multi-Factor Authentication
  • Access to SaaS Applications
  • VPN Split Tunneling
  • Security Monitoring and Access Control Implications
  • Delays in Security Patching

Additional increased risks outlined in the Report included allowing remote workers to use their personal devices without implementing a Bring Your Own Device (BYOD) program, and heightened risk due to staffing changes.

These risk factors are not new, they have just become more pronounced during the pandemic. Threat actors used old tactics in a new environment to attack victims. According to the Report, “[A]dversaries simply pivoted their tactics to launch COVID19-themed campaigns, exploit the security gaps in remote work environments, and target organizations involved with pandemic research.” In addition, as we have reported before, attackers are using COVID-19 “as a phishing bait” as they understand that workers are looking for more information about COVID to protect themselves and their families and thus are not as vigilant because they are distracted and scared.

The Secureworks Report confirms that there are new vulnerabilities and old tricks to address during the pandemic with a fully-remote workforce

Regulatory bodies are upping the ante when it comes to settling with companies that have suffered data breaches. In addition to the below settlements, see also the settlement between the OCR and Dignity Health.

Community Health Systems, Inc. Settles for $5 M in Multi-State Settlement

On October 8, 2020, New Jersey Attorney General Gurbir Grewal (AG) announced that his office has entered into a multi-state settlement agreement with Community Health Systems, Inc. (CHS) stemming from an investigation of a 2014 data breach that exposed personal information of approximately 6.1 million patients, including 45,000 New Jersey residents. This is after CHS agreed to pay $2.3 million in settlement for HIPAA violations alleged by the Office for Civil Rights. Read article

Morgan Stanley Settles with OCC for $60 Million

Morgan Stanley has settled claims by the Office of the Comptroller of the Currency (OCC) that it failed to properly decommission data centers that housed client data of its wealth-management operations two times—once in 2016 and once in 2019 for $60 million. Read article

On October 8, 2020, New Jersey Attorney General Gurbir Grewal (AG) announced that his office has entered into a multi-state settlement agreement with Community Health Systems, Inc. (CHS) stemming from an investigation of a 2014 data breach that exposed personal information of approximately 6.1 million patients, including 45,000 New Jersey residents. This is after CHS agreed to pay $2.3 million in settlement for HIPAA violations alleged by the Office for Civil Rights.

The AG filed a complaint against CHS following the data breach alleging misrepresentation and violation of the New Jersey Consumer Fraud Act because CHS disclosed to consumers that it “employed security measures to protect information from unauthorized disclosure through various means such as encryption.”

The complaint alleged that CHS failed to implement and maintain reasonable security for the personal information that it collected and maintained, failed to provide security and confidentiality of stored information, and permitted unauthorized disclosure of protected health information inconsistent with HIPAA.

CHS and its subsidiary CHSPSC LLC agreed to pay $5 million to 28 participating states. In the final consent judgment, CHS denied the facts as alleged or any liability for the data breach.

Morgan Stanley has settled claims by the Office of the Comptroller of the Currency (OCC) that it failed to properly decommission data centers that housed client data of its wealth-management operations two times—once in 2016 and once in 2019 for $60 million.

According to the OCC, Morgan Stanley “failed to effectively assess or address risks associated with decommissioning its hardware” by subcontracting the work out and failing to identify customer data that was stored on obsolete devices.

Morgan Stanley notified affected customers in July and is offering credit monitoring at no charge to its customers if they sign up by October 31.