Patching vulnerabilities is a difficult task. Keeping up with and patching them without disrupting users’ experience is tricky. Nonetheless, it is a necessary evil and crucial to cybersecurity hygiene and incident prevention.

On March 12, 2024, the Cybersecurity & Infrastructure Security Agency (CISA) issued three Cybersecurity Alerts for Adobe, Microsoft, and Fortinet security patches.

The Fortinet release addresses five vulnerabilities CISA “encourages users and administrators to review…and apply necessary updates.” The vulnerabilities could allow a threat actor to “take control of an affected system.”

On Patch Tuesday, Microsoft released 60 (yes, 60) security updates for products, including well-known ones such as Windows Defender, Microsoft Authenticator, Skype, SharePoint, and SQL Server. Applying patches as instructed by Microsoft is recommended by CISA.

CISA also encourages administrators and users to apply six patches to Adobe products.

Applying patches quickly is a solid strategy to help prevent a cyber-attack that exploits a known exploit or zero-day vulnerability. It is hard work but worth it.

Yesterday, with broad bipartisan support, the U.S. House of Representatives voted overwhelmingly (352-65) to support the Protecting Americans from Foreign Adversary Controlled Applications Act, designed to begin the process of banning TikTok’s use in the United States. This is music to my ears. See a previous blog post on this subject.

The Act would penalize app stores and web hosting services that host TikTok while it is owned by Chinese-based ByteDance. However, if the app is divested from ByteDance, the Act will allow use of TikTok in the U.S.

National security experts have warned legislators and the public about downloading and using TikTok as a national security threat. This threat manifests because the owner of ByteDance is required by Chinese law to share users’ data with the Chinese Communist government. When downloading the app, TikTok obtains access to users’ microphones, cameras, and location services, which is essentially spyware on over 170 million Americans’ every move, (dance or not).

Lawmakers are concerned about the detailed sharing of Americans’ data with one of its top adversaries and the ability of TikTok’s algorithms to influence and launch disinformation campaigns against the American people. The Act will make its way through the Senate, and if passed, President Biden has indicated that he will sign it. This is a big win for privacy and national security.

The bill that passed in the U.S. House of Representatives potentially banning TikTok’s use in the U.S. is not a novel idea. The federal government has already banned TikTok’s use for federal employees, some states have banned its use for state employees, and the state of Montana has attempted to ban its use in the state, which was litigated by ByteDance and is presently on appeal. Other countries have banned the use of TikTok over similar concerns without the uproar levied by users in the U.S. Perhaps users in other countries are more sophisticated or care more about national security and privacy concerns than users in the U.S.

The Washington Post published an article on March 13, 2024, that outlines other countries that have already banned TikTok from certain use. They include India, Nepal, European Union, Canada, Britain, Australia, Taiwan, New Zealand, Pakistan, Afghanistan (yes, even the Taliban banned TikTok in 2022 to “prevent the younger generation from being misled”), and Somalia.

The article is a very interesting read and shows that the concern over the intent of the Chinese Communist Party as it relates to TikTok is global. Encourage your Senators to adopt the House bill banning TikTok in the U.S. unless ByteDance divests the app, so it can be sent to President Biden for signature.

To help organizations protect against ransomware, CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a cybersecurity advisory  warning organizations about the Phobos ransomware, and provided indicators of compromise and tactics, techniques, and procedures used by Phobos as recently as February.

According to the advisory, Phobos has been attacking “municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million U.S. dollars.” Phobos threat actors gain access to networks through phishing campaigns, searching for vulnerable Remote Desktop Protocol (RDP) ports, including on Microsoft Windows environments, then use brute force tools to gain access and activate RDP authentication.

The advisory provides specific recommendations on mitigation to assist companies in reducing the risk of becoming a victim, which are worth checking out.

This week we are pleased to have a guest post by Robinson+Cole Business Transaction Group lawyer Tiange (Tim) Chen.

On February 28, 2024, the Justice Department published an Advanced Notice of Proposed Rulemaking (ANPRM) to seek public comments on the establishment of a new regulatory regime to restrict U.S. persons from transferring bulk sensitive personal data and select U.S. government data to covered foreign persons.

The ANPRM was published as a response to a new White House Executive Order (EO), issued pursuant to the International Emergency Economic Powers Act (IEEPA), which requires the Justice Department to propose administrative regulations within 6 months to respond to potential national security threats arising from cross-border personal and government data transfers.

Covered Data Transactions

Under the ANPRM, the Justice Department may restrict U.S. persons from engaging in a “covered data transaction,” which may refer to:

  • (a) a “transaction”: acquisition, holding, use, transfer, transportation, exportation of, or dealing in any property in which a foreign country or national thereof has an interest;
  • (b) that involves (1) bulk U.S. sensitive personal data; or (2) government-related data; and
  • (c) that involves (1) data brokerage, (2) a vendor agreement, (3) an employment agreement, or (4) an investment agreement.

Bulk Sensitive Personal Data. According to the ANPRM, the term “sensitive personal data” includes:

(1) specifically listed categories and combinations of covered personal identifiers (not all personally identifiable information), (2) precise geolocation data, (3) biometric identifiers, (4) human genomic data, (5) personal health data, and (6) personal financial data.

Only transactions exceeding certain “bulk,” or threshold volume, will be subject to the relevant restrictions based on the number of U.S. persons or U.S. devices involved.

Government-related Data. According to the ANPRM, the term means (1) any precise geolocation data, regardless of volume, for any geofenced location within an enumerated list, and (2) any sensitive personal data, regardless of volume, that links to current or former U.S. government, military or Intelligence Community employees, contractors, or senior officials.

Prohibited, Restricted, and Exempted Transactions

The EO and ANPRM propose a three-tier approach to differentiate the types of restrictions subject to the proposed rules.

Prohibited Transactions. The ANPRM generally prohibits a U.S. person to knowingly engage in a “covered data transaction” with a country of concern or covered person.

Restricted Transactions. The ANPRM provides that for U.S. persons involved in “covered data transactions” relating to a vendor, employment or investment agreement, such transactions may be permissible if adequate security measures are taken consistent with relevant rules to be promulgated by the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security.

Exempted Transactions. The ANPRM proposes to exempt certain types of transactions, including: (1) data transactions involving personal communication, information or information materials carved out by IEEPA, (2) transactions for official government business, (3) financial services, payment processing or regulatory compliance related transactions, (4) intra-entity transactions incident to business operations, and (5) transactions required or authorized by federal law or international agreements.

Licensing Regime. The EO authorizes the Justice Department to grant specific (entity or person-specific transaction) and general (that cover broad classes of transactions) licenses for U.S. persons to engage in prohibited and restricted transactions. The Justice Department is considering establishing a licensing regime modeled on the economic sanctions licensing regime managed by the Treasury Department’s Office of Foreign Asset Control.

Countries of Concerns and Covered Persons

Countries of Concerns. The ANPRM proposes to identify China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela as the countries of concern.

Covered Persons. The ANPRM proposes to define the “covered persons” as (1) an entity owned by, controlled by, or subject to the jurisdiction or direction of a country of concern, (2) a foreign person who is an employee or contractor of such an entity, (3) a foreign person who is an employee or contractor of a country of concern, and (4) a foreign person who is primarily resident in the territorial jurisdiction of a country of concern. The Justice Department may also designate specific persons and entities as “covered persons.”

Implementations

The regime will only become effective upon the publication of final administrative rules. The scope of the final rules may significantly differ from the proposals published in the ANPRM. In addition, the EO affords significant discretions to the Justice Department and other agencies to issue interpretative guidance and enforcement guidelines to further clarify and refine the process and mechanisms for complying with the final rules, including potential due diligence, record keeping, or voluntary reporting requirements.

This week is National Consumer Protection Week. Based on the recent statistics published by the FTC on online, digital, and voice scamming, consumers sorely need more help protecting themselves from scams.

The FTC provides great tools to consumers to prevent them from becoming the scam victims. This week, the FTC issued several consumer alerts and tips that are designed to assist consumers with education on the newest scams, how to prevent becoming a victim, and the ability to identify and then report a scam. FTC.gov is an excellent resource for consumers to stay on top of scams, get educated, and share tips with those around them. These tips are available all year long—not just during National Consumer Protection Week.

We continue to hear terrible stories of consumers becoming victims of online scams, and the statistics get worse year after year. Take advantage of the free tools provided by the FTC, become a scam prevention evangelist, and help everyone around you from becoming a victim.

The Health Sector Cybersecurity Coordination Center (HC3) recently warned the health care sector about the Akira ransomware group that has been hitting health care organizations since May of 2023. In an Analyst Note dated February 7, 2024, HC3 stated that although Akira is a relatively new ransomware group, it has attacked at least 81 organizations in its short life, and “U.S. healthcare organizations are advised to follow the steps in this alert to minimize their risk of attack.”

Akira uses double extortion strategies to maximize its profits and operates a leak site to assert additional pressure on its victims. The most recent tactics, techniques, and procedures used by Akira are outlined in the Alert. HC3 surmises that Akira has some relationship with another well-known ransomware group, Conti, through an analysis of shared financial infrastructure for payments through cryptocurrency wallets.

HC3 provides defense and mitigation recommendations, and healthcare organizations may wish to review these following the warning.

In a joint release last week, the Cybersecurity and Infrastructure Security Agency (CISA) and other federal agencies issued a chilling Advisory about the ongoing attacks by Volt Typhoon on U.S. critical infrastructure. Volt Typhoon is a People’s Republic of China (PRC) sponsored group that uses slow and persistent techniques to gain entry into U.S.-based critical infrastructure. CISA urges “critical infrastructure organizations and technology manufacturers to read the joint advisory and guidance to defend against this threat.

Soon after the Joint Alert, Dragos released its Report “VOLTZITE Espionage Operations Targeting U.S. Critical Systems,” which provides concerning information about the overlap between Volt Typhoon and VOLTZITE and how it is targeting and successfully gaining access to U.S. critical infrastructure.

According to Dragos, “VOLTZITE has been observed performing reconnaissance and enumeration of multiple U.S.-based electric companies since early 2023, and since then has targeted emergency management services, telecommunications, satellite services, and the defense industrial base. Additionally, Dragos has discovered VOLTZITE targeting electric transmission and distribution organizations in African nations.” Dragos also notes that the threat actors are difficult to detect, and therefore, the “slow and steady reconnaissance, enables VOLTZITE to avoid detection for lengthy periods of time.”

Dragos has tracked VOLTZITE in 2023 as follows:

  • Early 2023 – US Territory of Guam compromise.
  • June 2023 – VOLTZITE infiltrates United States emergency management organization.
  • August 2023 – Dragos discovers VOLTZITE targeting African electric transmission and distribution providers.
  • November 2023 – Dragos collaborated with E-ISAC on analysis of VOLTZITE activity against multiple U.S. based electric sector organizations.
  • December 2023 – Dragos discovered evidence that VOLTZITE has overlaps with UTA0178, a threat activity cluster tracked by Volexity, exploiting Ivanti ICS VPN zero-day vulnerabilities.
  • January 2024 – Extensive reconnaissance of a U.S. telecommunication’s providers external network gateways.
  • January 2024 – Evidence of compromise against a large U.S. city’s emergency services GIS network.

Not only is the PRC conducting slow and steady reconnaissance of critical infrastructure in the U.S., but it is also conducting daily reconnaissance of TikTok users. The PRC is a threat to national security on both fronts. Dragos provides ways critical infrastructure operators can mitigate the threat posed by VOLTZITE, which is an important read.

This week we are pleased to have a guest post by Robinson+Cole Artificial Intelligence Team patent agent Daniel J. Lass.

After several high-profile instances of artificial intelligence (AI) hallucination and Chief Justice John Roberts’s year-end report acknowledging the shortcomings of blindly relying on AI in legal writing, Kathi Vidal, the Director of the U.S. Patent and Trademark Office (USPTO), issued a memo concerning the use of AI when practicing before the USPTO. She echoed that while AI can be helpful to practitioners, the existing USPTO Rules of Professional Conduct impose duties related to any submission. 

Practitioners are required to sign most papers filed with the USPTO. By signing the paper, the practitioner is indicating that they reasonably believe the statements made in the paper are true and that any legal contentions are warranted. Director Vidal specifically indicated that assuming that an AI tool is correct without any verification is not reasonable. Practitioners who fail to follow this warning risk the paper being given less weight, the USPTO terminating the proceeding, or facing discipline.

Despite these warnings, the USPTO is looking into ways to utilize AI in the patent process. President Biden instructed Director Vidal to issue guidance on AI inventorship and patent eligibility. This guidance indicates that AI-assisted inventions are not necessarily unpatentable. To be patentable, the claims should highlight the human contribution. The USPTO listed five non-exhaustive factors to assist in determining whether a human’s contribution is significant enough to qualify the human as an inventor. These generally indicate that a person must contribute to an inventive concept beyond presenting a problem to be solved by an AI model or simply overseeing the AI system.

In noting that an AI model can be a contributor but not an inventor, Director Vidal reinforced that practitioners have a reasonable duty to inquire into the inventorship of an application and ensure that a human contributed to the invention in a significant enough way to be named an inventor properly. However, the USPTO does not require any further disclosure related to the using AI in the inventive process outside of any pre-existing requirements. The USPTO will host a webinar on March 5, 2024, to explain its new guidance further.

The Federal Trade Commission (FTC) keeps track of scams that are reported to it and summarizes those scams in a report outlining the most successful scams of the prior year.

Last year’s statistics are disturbing, as many of the same techniques from previous years are still being used successfully by threat actors. Old scams are continuing to be profitable for fraudsters, as the amount of money scammers obtained from victims last year was the most reported to the FTC ever. That amount is $10 billion, which is a whopping $1 billion more than in 2023.

The Data Book, as the FTC calls it, found that “email was the #1 contact method for scammers this year, especially when scammers pretended to be a business or government agency to steal money.”

According to the report, here are other takeaways for 2023:

Imposter scams. Imposter scams remained the top fraud category, with reported losses of $2.7 billion. These scams include people pretending to be your bank’s fraud department, the government, a relative in distress, a well-known business, or a technical support expert.

Investment scams. While investment-related scams were the fourth most reported fraud category, losses in this category grew. People reported median losses of $7.7K – up from $5K in 2022.

Social media scams. Scams starting on social media accounted for the highest total losses at $1.4 billion – an increase of 250 million from 2022. But scams that started with a phone call caused the highest per-person loss ($1,480 average loss).

Payment methods. How did scammers prefer that people pay? With bank transfers and payments, which accounted for the highest losses ($1.86 billion). Cryptocurrency is a close second ($1.41 billion reported in losses).

Losses by age. Of people who reported their age, younger adults (20-29) reported losing money more often than older adults (70+). However, when older adults lost money, they lost the most.

The Data Book provides a sobering look at victims’ losses and is a document that everyone can learn from, no matter your age.