Cybersecurity Map of United StatesCISA Cybersecurity Advisory – Chinese State-Sponsored Cyber Operations

CISA Cybersecurity Advisory – Chinese State-Sponsored Cyber Operations

On July 19th, the National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigations (FBI) released a joint cybersecurity advisory pertaining to Chinese state-sponsored threat actors. The advisory warns of potential malicious activity targeting “U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations.”  

In response to this increased threat, CISA suggests organizations, particularly managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions, take the following steps: 

Patch your systems as soon as you can after the release of operating system and application patches.  Updates are often quickly reverse-engineered by threat actors to determine the vulnerability that is being fixed and whether it can be weaponized. 

Employ monitoring and detection technologies give you a 360-degree view of what is happening on your network.  Be sure you can see lateral movement, which may show indicators of compromise, inside-out traffic to malicious hosts, which may indicate command and control communication, and outside-in communication, which could reflect attempts at compromise from external sources.   

Implement strong preventative measures to mitigate or help prevent compromise from occurring.  These include active anti-virus and multi-factor authentication. 

Read the full cybersecurity advisory issued by CISA here. While this alert focuses on businesses that would be potential targets for nation-state threat actors, the advice above is applicable to any business. Following these best practices does not guarantee the prevention of a security incident but can make it substantially more difficult for threat actors to gain a foothold in an organization’s network and systems and can reduce detection time. 

If you suspect any malicious activity in your systems, or would like to speak to an incident response attorney to help improve your organization’s security, Beckage attorneys can be reached 24/7 via our Data Breach Hotline: 844.502.9363 or IR@beckage.com.  

*Attorney advertising: prior results do not guarantee future outcomes. 

UtahUtah Adopts Cybersecurity Affirmative Defense Act Protecting Business from Certain Claims Arising Out of Data Breaches

Utah Adopts Cybersecurity Affirmative Defense Act Protecting Business from Certain Claims Arising Out of Data Breaches

On March 11, 2021, Utah Governor Spencer Cox signed the Cybersecurity Affirmative Defense Act (the “Act”) into law.  The Act creates affirmative defenses to certain causes of action arising out of a breach of system security.  See generallyUtah Code Ann. §78B-4-701 et seq. 

The Act defines a breach of system security as including “an unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information.”  Utah Code Ann. § 13-44-102(1)(a).  Similarly, the Act defines personal information as including a person’s first name and last name when combined with a social security number, financial account number in combination with a required security code, and a driver’s license.  Utah Code Ann. § 13-44-102(1)(a).

The Act provides that business that “creates, maintains, and reasonably complies with a written cybersecurity program” and that is “in place at the time of breach of system security” shall be afforded an affirmative defense to tort claims arising out of the business alleged “fail[ure] to implement reasonable information security controls that resulted in the breach of system security.”  Utah Code Ann. § 78B-4-702.

Whereas the Act requires a written cybersecurity program, it does not set forth a new technical cybersecurity standard.  Instead, the Act requires that a written cybersecurity program “shall provide administrative, technical, and physical safeguards to protect personal information” and that a cybersecurity program should “reasonably conforms to the current version of” NIST 800-171, NIST 800-53, ISO 2700, and the HIPAA Security rule.  Utah Code Ann. § 78B-4-702(4); Utah Code Ann. § 78B-4-703(1)(b).  Altogether this requirement for a written cybersecurity program is not entirely dissimilar to a business cybersecurity program requirements under New York’s “Stop Hacks and Improve Electronic Data Security Act” (SHIELD Act), which we further outlined here.

There are a couple other notable provisions to the Act.  First, the Act does not create a private right of action if a business failed to comply with the Act.  Utah Code Ann. § 78B-4-704.  Second, the Act provides that if an action is brought in another state, but is governed by Utah law, then the Act should apply.  Utah Code Ann. § 78B-4-705. As such, if a Utah business is sued in court for an alleged failure to implement information security standards and a resulting breach, it may rely on the Cybersecurity Affirmative Defense Act to the extent that it had and followed its written cybersecurity program.  Moreover, Utah isn’t alone in providing for an affirmative defense as Ohio adopted similar legislation in 2018.  See Ohio Rev. Code Ann. § 1354 et seq.

Beckage closely monitors for any and all changes in the law related to breaches of system security, data breaches, or other cyber security incidents.  Beckage’s team of attorneys and technologist are especially entuned with both responding to a data breach and understand what a robust written cyber security program would entail.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

Data BreachUpcoming National Data Breach Notification Legislation

Upcoming National Data Breach Notification Legislation

Among growing pressure in the wake of the allegedly state-sponsored SolarWinds cyber attack , federal legislators on both sides of the isle have expressed renewed interest in a federal data breach notification law.  Currently, each state has it own data breach notification law governing notice requirements to individuals, state attorneys general, and credit reporting agencies, when personal identifiable information such as names, social security numbers, and credit card information are accessed or acquired as part of data breach.  As a result, data breach response involves a host of competing timelines for business to notify various individuals and organizations.  This can prove to be inconsistent, complex, costly, and time consuming.

In an attempt to streamline the data breach notification process, Representatives Michael McCaul (R-TX-10), ranking member of the House Foreign Affairs Committee, and Jim Langevin (D-RI-2), chair of the House Armed Services Committee’s cybersecurity subcommittee, are drafting a bill which would create a federal mandatory breach notification.  The proposed bill would involve removing sources, methods, and names out of notifications and sending them to the Cybersecurity and Infrastructure Security Agency (“CISA”).  Moreover, the proposed bill will incorporate input from the Cyberspace Solarium Commission, a group established by Congress comprised of lawmakers and other officials with the purpose of developing a strategic approach to our nation’s defense against cyberattacks.  The Cyber Solarium Commission released its first report in March 2020 calling for several government reforms including, but not limited to: issuing an update to our National Cyber Strategy; establishing a permanent House and Senate Committee on Cybersecurity; and strengthening CISA.

Moreover, the proposed bill is expected to be based on, in large part, previously drafted legislation by Rep. Langevin in 2017 entitled “Personal Data Notification and Protection Act of 2017” (“PDNPA”).  See Personal Data Notification and Protection Act of 2017, H.R. H.R.3806, 115 Cong. (2017).  The PDNPA was introduced into the house on September 18, 2017, in the wake of the Equifax breach , but died in committee as political energy began to change focus.

The PDNPA required, in relevant part, that “any business entity engaged in or affecting interstate commerce that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period shall, following the discovery of a security breach of such information, notify…any individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired.”  See id at § 2(a).

Notice under the PDNPA was to be completed by one of the following methods: i) written notification to the last known home mailing address of the individual in the records of the business entity; ii) telephone notification to the individual personally; iii) e-mail notification, if the individual consented, and if consistent with the 01 of the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001); or if the number of individuals affected exceeded 5,0000 person, notification could have been provided to media “reasonably calculated to reach such individuals”.  See id at § 7. 

Similarly, PDNPA required a business entity who suffered a data breach affecting greater than 5,000 persons to notify credit reporting agencies.  See id at § 6.  PDNPA provided authority to the Federal Trade Commission to enforce penalties; however, it also recognized state attorneys general could, in the interest of the residents of their state, bring civil action against violators imposing fines of $1,000 per day per individual whose personal identifiable information was exposed with a maximum of $1,000,000 per violation, unless the business entity’s conduct was found to be willful or intentional.  See id at §§ 8-9. 

Finally, PDNPA was to supersede all state laws regarding breach notification by a business entity engaged in interstate commerce who suffers a data breach.  See id at § 10.  Whereas PDNPA never was enacted, the proposed legislation will likely closely mirror the above-referenced terms.

The Beckage Incident Response team will continue to monitor any developments regarding a national data breach notification law and will update its guidance accordingly. Our attorneys are nationally recognized for our experience working on data breaches, including some of the most notorious cyber incidents in recent history. If your business is in the midst of navigating the complexities surrounding a recent data breach, our team can be reached anytime via  our 24/7 data breach hotline at 844-502-9363 or by emailing IR@beckage.com.   

Subscribe to our newsletter.

*Attorney Advertising; prior results do not guarantee similar outcomes.

Emotet MalwareThe Emotet Attack Gets Attacked

The Emotet Attack Gets Attacked

Having responded to numerous malware and ransomware incidents, it is clear that cyber threats are persistent but not impenetrable.  The thing that pokes holes in company’s IT environments, can itself be vulnerable as a recent incident with Emotet has proven.  This recent occurrence can hopefully provide businesses with assurance that government, like private industry, is working hard to push back on cyber threats.    

What is it? 

Emotet is an extremely well-traveled bit of malware. It has been spread far and wide across the globe and led to countless data incidents via automated phishing emails.  By luring recipients to not only open a spam email, but then download an attachment or click a link, whether it be a fake invoice or COVID-19 vaccine information, Emotet tricked recipients into installing malware on their system that then opens a gateway to the botnet’s system.  And continuously, since 2014, the Emotet botnet runs more phishing campaigns, convinces more individuals to download malware masked as attachments, and opens more gateways to more Windows systems, calling out and then preserving a point of access to an unsuspecting party.  

Why is it dangerous? 

Think of every successful introduction of Emotet malware onto a computer as opening a gateway to that system.  Then think of all the gateways being amassed by the group that controls Emotet.  Now imagine that team saying to a global community of cyber attackers, “Which gateways would you like to purchase access to in order to deploy your ransomware or whatever attack you have in mind?”  The result has been, according to Ukrainian law enforcement, $2.5 billion in damages by resulting attacks.  Popular ransomware variants like Ryuk are known to be paying for that access and contributing to the resulting financial hardship.  So Emotet may not be the illegal drug, but they are the needle delivering it.   

What happened? 

The FBI, Europol, Canada’s Royal Mounted Police, the National Police of Ukraine, the UK’s National Crime Agency and other international law enforcement agencies, with the aid of private researchers, embarked on an expansive raid on Emotet, reportedly two years in the making.  Operation Ladybird, as it was known, sought to take over a command-and-control network of servers in over 90 countries.  The result?  A success.  The Emotet disruption was pulled off by replacing the machines at the center of the botnet’s infrastructure with the computers of law enforcement, allowing law enforcement to negate any further requests from the malware to the botnet and prevent any malicious activity.  The infrastructure that controls the Emotet operation is now under the control of law enforcement and now the botnet responsible for up to 30% of all malware attacks is offline, leaving those who once relied on purchasing access to those gateways for deploying cyber-attacks at a loss for access.   

The Beckage Team has extensive experience counseling clients on data security matters, breach response preparedness, and breach coach services.  We have also worked on headline-making data incidents, including those associated with malware and ransomware strains like Emotet and Ryuk. Our team can be reached anytime via our 24/7 data breach hotline at 844-502-9363 or by emailing IR@beckage.com.   

Subscribe to our newsletter.

*Attorney Advertising; prior results do not guarantee similar outcomes.  

CozyBear BreachOngoing Cyber Attack Uses SolarWinds Software Update to Distribute Malware

Ongoing Cyber Attack Uses SolarWinds Software Update to Distribute Malware

Beckage’s Incident Response Team is monitoring an evolving hacking campaign that is leveraging a popular managed service provider named SolarWinds.

What happened?

Beginning over the weekend, multiple organizations around the globe, including United States government agencies, have been targeted by a hacking campaign reportedly carried out by a Russian organization known as CozyBear, APT29, or UNC2452.  While cybersecurity officials are currently scrambling to implement countermeasures, initial signs suggest this campaign has been running for months. 

Who has been affected?

FireEye, an American cybersecurity firm that was one of the organizations accessed, has led much of the analysis on this sophisticated cyber attack.  Other victims so far include government agencies, consulting, technology, telecom, and oil and gas companies across North America, Asia, Europe, and the Middle East.

How was this attack carried out?

The attackers used a trojanized SolarWinds Orion business software update to distribute a backdoor called SUNBURST.  Once this Trojan has infiltrated a server, the attackers are able to remotely control the devices on which this update has been installed.  They can use this access to move freely throughout an organization’s server, installing additional software, creating new accounts, and accessing sensitive data and valuable resources.  By confirming itself as an authorized user, the attackers may be able to maintain this access even if the SolarWinds backdoor is removed, creating a slew of additional issues that may present themselves in the future.

The SUNBURST malware is stealthily designed to make it very difficult to determine whether a computer has been affected.  After the backdoor has accessed a device, it waits quietly for a period of 12 to 14 days before taking any action.  Once activated, the attacker sets the hostnames on their command and control infrastructure to match a legitimate hostname found within the victim’s environment.  This allows the attacker to blend into the environment, avoid suspicion, and evade detection.  The attackers also use primarily IP addresses originating from the same country as the victim, leveraging Virtual Private Servers.

What to do now

Beckage recommends that organizations using SolarWinds as a provider implement several preventative steps to safeguard their organization including of the following measures:

  • Review current incident response protocols and processes.
  • Carefully craft internal and external messaging and FAQs with an experienced data breach attorney.
  • Make sure employees know who to contact if they have reason to believe there is suspicious activity.

Beckage has extensive experience dealing with headline-making data incidents similar to the CozyBear attack.  Our team can assist you with implementing urgent preventative actions to avoid falling pray to this attack.  If your systems have been accessed, we can work to minimize your legal exposure and regulatory vulnerabilities and manage response efforts and communications with any relevant stakeholders.

If an attack is detected and additional resources are needed, Beckage can be reached using our 24/7 Data Breach Hotline at 844-502-9363.

The Big Take Away

Attackers continue to target service providers.  This incident is one more piece of evidence that service providers are highly desirable and valuable businesses to compromise because they can provide an attacker with access to many, many clients.  Attackers are looking for the hub of the wheel, so they can expand into all the spokes and carry out many simultaneous breaches.

This reality makes vendor management programs, including vendor security audits and initial security questionnaires of service providers more essential than ever.  Beckage’s clients benefit from our counsel on vetting vendors and service providers in order to mitigate risk of falling victim to a cyber attack because of a vendor compromise.

A Holiday Reminder on Malicious Activity

Phishing campaigns, email compromise, and ransomware activities are extremely common around the holiday season. As a reminder, be sure your organization is being diligent in your efforts against these types of attacks even if you have not been affected by this particular incident.

*Attorney advertising. Prior Results do not guarantee future outcomes.

Subscribe to our Newsletter.

1 2