CozyBear BreachOngoing Cyber Attack Uses SolarWinds Software Update to Distribute Malware

Ongoing Cyber Attack Uses SolarWinds Software Update to Distribute Malware

Beckage’s Incident Response Team is monitoring an evolving hacking campaign that is leveraging a popular managed service provider named SolarWinds.

What happened?

Beginning over the weekend, multiple organizations around the globe, including United States government agencies, have been targeted by a hacking campaign reportedly carried out by a Russian organization known as CozyBear, APT29, or UNC2452.  While cybersecurity officials are currently scrambling to implement countermeasures, initial signs suggest this campaign has been running for months. 

Who has been affected?

FireEye, an American cybersecurity firm that was one of the organizations accessed, has led much of the analysis on this sophisticated cyber attack.  Other victims so far include government agencies, consulting, technology, telecom, and oil and gas companies across North America, Asia, Europe, and the Middle East.

How was this attack carried out?

The attackers used a trojanized SolarWinds Orion business software update to distribute a backdoor called SUNBURST.  Once this Trojan has infiltrated a server, the attackers are able to remotely control the devices on which this update has been installed.  They can use this access to move freely throughout an organization’s server, installing additional software, creating new accounts, and accessing sensitive data and valuable resources.  By confirming itself as an authorized user, the attackers may be able to maintain this access even if the SolarWinds backdoor is removed, creating a slew of additional issues that may present themselves in the future.

The SUNBURST malware is stealthily designed to make it very difficult to determine whether a computer has been affected.  After the backdoor has accessed a device, it waits quietly for a period of 12 to 14 days before taking any action.  Once activated, the attacker sets the hostnames on their command and control infrastructure to match a legitimate hostname found within the victim’s environment.  This allows the attacker to blend into the environment, avoid suspicion, and evade detection.  The attackers also use primarily IP addresses originating from the same country as the victim, leveraging Virtual Private Servers.

What to do now

Beckage recommends that organizations using SolarWinds as a provider implement several preventative steps to safeguard their organization including of the following measures:

  • Review current incident response protocols and processes.
  • Carefully craft internal and external messaging and FAQs with an experienced data breach attorney.
  • Make sure employees know who to contact if they have reason to believe there is suspicious activity.

Beckage has extensive experience dealing with headline-making data incidents similar to the CozyBear attack.  Our team can assist you with implementing urgent preventative actions to avoid falling pray to this attack.  If your systems have been accessed, we can work to minimize your legal exposure and regulatory vulnerabilities and manage response efforts and communications with any relevant stakeholders.

If an attack is detected and additional resources are needed, Beckage can be reached using our 24/7 Data Breach Hotline at 844-502-9363.

The Big Take Away

Attackers continue to target service providers.  This incident is one more piece of evidence that service providers are highly desirable and valuable businesses to compromise because they can provide an attacker with access to many, many clients.  Attackers are looking for the hub of the wheel, so they can expand into all the spokes and carry out many simultaneous breaches.

This reality makes vendor management programs, including vendor security audits and initial security questionnaires of service providers more essential than ever.  Beckage’s clients benefit from our counsel on vetting vendors and service providers in order to mitigate risk of falling victim to a cyber attack because of a vendor compromise.

A Holiday Reminder on Malicious Activity

Phishing campaigns, email compromise, and ransomware activities are extremely common around the holiday season. As a reminder, be sure your organization is being diligent in your efforts against these types of attacks even if you have not been affected by this particular incident.

*Attorney advertising. Prior Results do not guarantee future outcomes.

Subscribe to our Newsletter.

RansomwareRansomware Activity Targeting the Healthcare and Public Health Sector

Ransomware Activity Targeting the Healthcare and Public Health Sector

Beckage is notifying organizations in the healthcare sector of a potential threat that may occur this weekend. We will continue to monitor this situation and provide updates as they occur.

Late last night the Federal Bureau of Investigations (FBI), Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about an imminent cybercrime threat to hospitals and healthcare providers. These organizations have credible information to suggest that there will be a widespread Ryuk ransomware attack this weekend. The threat is currently being investigated by the FBI, DHS and the NSA’s Cybersecurity Threat Operations Center.

What We Know

The cybercrime organization Ryuk is targeting the Healthcare and Public Health sector with Trickbot malware that may lead to ransomware attacks, data theft, and the disruption of healthcare services, a particularly concerning possibility considering the nation is still grappling with the COVID-19 pandemic.

Based on what we know about Ryuk, it is possible that the targeted healthcare entities have already implemented the encryption malware on healthcare organizations’ systems and the threat actors just have not commanded it to activate.  Given the threat, we urge all healthcare organizations to review the measures recommended by the FBI as consider some practical incident response measures.

What To Do Next

Beckage recommends that hospitals and healthcare providers implement several preventative steps to safeguard their organization including of the following measures: reviewing current incident response protocols and processes within the next 24 hours, and carefully crafting internal drafting internal and external messaging and FAQs with an experienced data breach attorney to help minimize legal risk as well as making sure employees know who to contact if they have reason to believe there is suspicious activity.

Beckage is available to discuss additional best practices that should be taken over the next 24 to 72 hours. Our team will continue to monitor this for new developments and provides updates as appropriate.  If an attack is detected and additional resources are needed, Beckage can be reached using our 24/7 Data Breach Hotline at 844-502-9363.

*Attorney advertising. Past outcomes do not predict future results.

Subscribe to our Newsletter.

SAFE DATA ActLegislative Update on the SAFE Data Act

Legislative Update on the SAFE Data Act

In late September, a few Republican members of the Senate Committee on Commerce, Science and Transportation (“Commerce Committee”) introduced the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act, adding to the slew of federal data privacy bills before the Committee.

The Safe Data Act would enhance the Federal Trade Commission’s (FTC) authority and provide additional enforcement resources.  The Safe Data Act contains some measures captured in other bills before the Commerce Committee, including the Deceptive Experiences to Online Users Reduction Act (Detour Act), the Balancing the Rights of Web Surfers Equally and Responsibly Act (Browser Act), and the Consumer Online Privacy Rights Act (COPRA).  It provides consumers with more control over their data and strengthens the FTC’s ability to respond to changes or advancements in technology.  

If enacted, the Safe Data Act would prohibit businesses from processing or transferring sensitive consumer data without their consent.  The Safe Data Act would also minimize the amount of consumer data businesses can collect, process, and retain, and would limit secondary uses of consumer data without consumer consent.  

The Safe Data Act attempts to create a national standard that would preempt or supersede state privacy laws.  A federal standard could, in theory, ease the burden on businesses that currently need to comply with a complicated patchwork of state and local privacy laws.  This preemption issue captured a lot of attention during Committee testimony on September 23rd, particularly from California Attorney General Xavier Becerra, who argued that a federal standard should be the floor rather than the ceiling for privacy standards.  Earlier this year, Becerra oversaw the implementation of California Consumer Privacy Act—the nation’s most comprehensive state data protection statute to date—which, he said would be heavily dismantled by Federal preemption.  Another issue that has captured attention during the Committee hearing is whether federal legislation should include a private right of action, which would allow consumers to pursue legal remedies themselves.

The bottom line?  There are several approaches being considered and little agreement on the path forward.  Though we expect the conversation to continue into Lame Duck, we do not anticipate consensus on a unified approach to data privacy until the 117th Congress in January 2021.

Beckage continues to monitor this evolving landscape and provide updates on important topics such as data privacy, which have a very real impact on business operations.  Regardless of the legislative landscape, a robust data security and privacy program that can stand the test of time is a wise investment.  Our team is available to assist your team evaluate legal implications of current requirements and legislative changes in the data privacy field.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

ransomwareWhat To Do If A Ransomware Incident Means Your Business Cannot Avoid Paying Ransom: OFAC Weighs In

What To Do If A Ransomware Incident Means Your Business Cannot Avoid Paying Ransom: OFAC Weighs In

While ransomware was already a growing global issue before the pandemic, COVID-19 has thrown jet-fuel on that fire.  As a result, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory statement on October 1, 2020.  The advisory specifically details the risk of sanctions related to paying a ransom and reflects the greater reality that as new wrinkles in attacks become common, including exfiltration of data for later extortion or deletion back up files, more businesses than ever are considering ransom payment.  OFAC wants your business to remember that paying ransom to certain groups is a sanctionable event.  

Beckage is very familiar with many ways to avoid paying ransom, but we remain informed of all the regulations and advisory guidance related to ransom payment.

A high-level review of a ransomware event can provide perspective on what role OFAC and its advisory mean to your business:

The Incident

Ransomware is a type of malicious software that infiltrates computer networks, locking and blocking access unless a ransom is paid.  When your business encounters ransomware, your Incident Response Plan (IRP) should direct leadership to immediately initiate contact with previously identified parties whose work is focused on just this sort of matter, including counsel such as Beckage, and your cybersecurity insurance carrier.

Common Questions

In the first minutes and hours after ransomware is detected, we hear common questions, such as: Is paying ransom a viable path forward?  Is it allowed?  And if there are no other options for remediation and restoring from backups, how is it done?

The Response to Ransom Demands

Depending on the situation, ransoms are sometimes paid.  This is not a default position, but can be the necessary and most logical step in response to a ransomware incident.  Your business does not suddenly have to figure out how to pay an unknown party the ransom; your tech lawyers will be familiar with third parties that specialize in incident response, including investigating the background of the threat actor and exploring payment.  Such a third-party will take steps to secure cryptocurrency, such as Bitcoin, for paying a ransom, work with counsel to understand how anti-money laundering laws apply to a transaction, and gauge whether the actor behind the ransomware is a sanctioned group or tied to a sanctioned group. 

OFAC’s Impact

The OFAC advisory reminds us that the U.S. Government does not qualify ransom payment as illegal, but ransom payments are not favored resolutions.  The advisory serves as a reminder of existing practices and policies:

  • Fines can follow any violation of the International Emergency Economic Powers Act (IEEPA), Trading with the Enemy Act (TWEA), Specially Designated Nationals and Blocked Persons List (SDN List) or embargoes with jurisdictions such as Iran, North Korea, and Syria. Your counsel, insurers and third parties involved in ransom. payment should all be familiar with the requirements therein.
  • Businesses are encouraged to implement and maintain a compliance program to avoid sanction-related violations, which can help mitigate civil monetary penalties in the event of a sanctions-related violation.
  • Businesses should routinely review with their insurers and brokers if and how the ransom payment process is impacted by this and any future advisory.
  • Sharing ransomware incident information with relevant government agencies, including OFAC and the FBI, is highly encouraged but not required.  Cooperation is critical to not only threat actor identification efforts, but, like a formal compliance program, can mitigate penalty in the event of an enforcement action for a sanctions-related violation.

The Result

OFAC’s advisory continues an established narrative of best practices for any company affected by ransomware, and those are the practices of our firm.  If your company finds itself under attack, look to experienced incident response lawyers, like Beckage, to help.  As noted in the advisory, “there was a 37 percent annual increase in reported ransomware cases [from 2018 to 2019] and a 147 percent annual increase in associated losses from 2018 to 2019,” and these numbers are expected to continue to rise.  By looking to experienced tech lawyers in incident response, you help your business mitigate risks associated with ransomware, including business interruption, reputational harm, and non-compliance with government standards for ransom payment.

Have your technology and incident response lawyers help establish, formalize, and update your corporate Information Security Practices and Incident Response Plan, to address legal requirements and changes in the law and to help your business avoid ransomware, or at least be fully prepared to respond to an incident.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

Privacy ShieldFTC Privacy Principles Offer Guidance to Companies In Light of Schrems Decision

FTC Privacy Principles Offer Guidance to Companies In Light of Schrems Decision

The invalidation of the Privacy Shield by the recent Schrems decision has left businesses scrambling as to their data transfers abroad.  The FTC can be looked at as a source of guidance for businesses grappling with data transfers in this uncertain landscape.   

In July, the European Union Court of Justice (CJEU) issued the Schrems II (C-3111/18) decision, invalidating the EU-US Privacy Shield Framework.  The EU-US Privacy Shield was a mechanism used to allow United States businesses to transfer and store European Union personal data in the United States.  The ruling in this case renders the United States an inadequate country without special access to Europe’s personal data streams.  However, while the Privacy Shield has been declared invalid, the CJEU ruled international data flows under the General Data Protection Regulation (GDPR) can continue under EU Standard Contractual Clauses.  The continuation under the Standard Contractual Clauses calls into question the future of international data flows between the United States and the European Union.  

Despite the Schrems II decision invalidating the Privacy Shield Framework, here in the United States, the Federal Trade Commission (FTC) will continue to hold companies to its principles.  With broad civil enforcement authority to promote consumer protection and competition in the commercial sphere, the FTC will hold companies accountable for violating international data commitments to protect data transfers across the Atlantic Ocean, despite the framework being rejected, including adherence to the following principles:  

  1. Notice of participation, types of data collected, and purposes for the data collected. 
  1. Choice of individuals to opt out or consent to types of data being collected. 
  1. Companies taking accountability for onward transfers of personal data collected by third parties while complying with Notice and Choice Principles. 
  1. Companies taking reasonable and appropriate security measures to mitigate risks associated with maintaining personal data collection. 
  1. Ensuring data integrity and purpose legitimation to confirm data is reliable and compatible for collected purposes. 
  1. Ensuring individuals have access to the personal data organizations hold. 
  1. Incorporating robust mechanisms to ensure company compliance and recourse for individuals who fall victim to noncompliance procedures. 

FTC commissioners agree that there should be a national data privacy law regarding online privacy and that there is increased attention on the need for broader data privacy policy that would allow the FTC to impose civil penalties, adapt with changing technology, and to hold non-profits and carriers accountable under the Privacy Shield Framework that were previously beyond the FTC’s enforcement powers.  The FTC has broad civil enforcement authority to promote consumer protection and competition in the commercial sphere.  

Data security and privacy continue to be a major part of ongoing antitrust investigations on technology platforms.  Europe is determined to provide strong privacy protections, hinting that data security is one of its key priorities relating to the exponential growth in data collections. Although the Privacy Shield is no longer a viable mechanism to comply with EU data protection requirements, the US is not relieved of its prior obligations.  

We encourage companies to continue to follow robust privacy principles, such as those underlying the Privacy Shield Framework, and to review their privacy policies to ensure they accurately describe their privacy practices, including with regard to international data transfers.  

At Beckage, we have a team of highly skilled attorneys certified in comprehensive GDPR knowledge that can help your company work towards compliance and data protection in both Europe and the United States.  Beckage works with clients to review current policies and assess data security practices.  Our team can help implement a plan to address any related data privacy legislation and be the appropriate legal counsel to help your company better understand the legal implications surrounding transatlantic data information transfers.  

*Attorney Advertising. Prior results do not guarantee similar outcomes. 

Subscribe to our Newsletter.

1 2 3 5