On June 2, 2022, CISA (the Cybersecurity and Infrastructure Security Agency), the FBI, the Department of the Treasury and the Financial Crimes Enforcement Network issued a joint Cybersecurity Alert warning companies of the Karakurt Team/Karakurt Lair extortion group, which has “employed a variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation.” According to the Alert, the group does not encrypt data for ransom, but instead steals data, then threatens to auction it off or release it to the public for ransoms ranging from $25,000 to $13,000,000 in Bitcoin.

Not only does Karakurt threaten to auction off the data or release it publicly like many ransomware groups, but it also has contacted victims’ employees, business partners, and clients with harassing emails and phone calls to pressure the victims to cooperate. The emails have contained examples of stolen data, such as social security numbers, payment accounts, and private company emails, as well as sensitive business data belonging to employees or clients. Upon payment of ransoms, Karakurt actors have provided some form of proof of deletion of the files and, occasionally, a brief statement explaining how the initial intrusion occurred.

According to the Alert, as of May 2022, Karakurt’s website “contained several terabytes of data purported to belong to victims across North America and Europe, along with several ‘press releases’ naming victims who had not paid or cooperated, and instructions for participating in victim data ‘auctions.’”

The methods used by Karakurt to obtain access to devices include:

  • Purchasing stolen login credentials
  • Cooperation with other cybercriminals who provide access to compromised company networks
  • Buying access to already compromised data through “third-party intrusion broker networks”

The intrusions exploit software vulnerabilities such as Log4j or outdated versions of software, and phishing and spearphishing campaigns.

The Alert and mitigation steps can be accessed here.

Recently, San Diego Family Care (SDFC) settled a class action related to a 2020 data breach for $1 million. The class includes all SDFC patients (or their parents/guardians) who received a breach notification in May 2021.

SDFC offers patients primary care services as well as dental and mental health care, has eight health centers in San Diego and examines thousands of patients. In December 2020, SDFC was the victim of a data breach, leading to the unauthorized disclosure of names, dates of birth, Social Security numbers, account numbers, treatment information, insurance data, and other sensitive patient data. The breach occurred as a result of SDFC’s technology-hosting provider’s lax security safeguards. The provider was the victim of a breach, which led to the attack on SDFC. SDFC stated in the notification letter that it learned of the breach in January 2021.

The complaints in the consolidated class actions allege that SDFC failed to protect patients’ information during the 2020 data breach, and that SDFC did not promptly notify patients upon learning of the breach so they could take steps to protect themselves from identity theft or other harm.

Eligible class members may receive cash payments up to $100 and may also submit documentation for reimbursement for ordinary out-of-pocket expenses of up to $1,000 and up to $5,000 for extraordinary out-of-pocket expenses. Each class member may also redeem identity theft protection services within 90 days of receiving a code for such services. The court is scheduled to issue its final approval of the settlement on July 29, 2022, and class members have until July 15, 2022, to submit a claim for reimbursement.

The University of Pittsburgh Medical Center (UPMC) recently settled a data breach class action for $450,000 stemming from a 2020 data breach that led to the compromise of about 36,000 UPMC patients.

UPMC is a Pennsylvania medical center and medical insurer. From April to June 2020, UPMC’s legal counsel, Charles J. Hilton PC, suffered a data breach that compromised its email accounts. As a result, UPMC information was also compromised, including patient names, Social Security numbers, birth dates, financial account numbers, identification numbers, signatures, medical records, and insurance information.

UPMC notified the affected patients in December 2020. The complaint alleges that UPMC had a duty to protect the patient data and failed to implement reasonable cybersecurity measures to do so. The lead plaintiff in the case alleged that after the incident occurred, he had a fraudulent Amazon credit card opened up in his name. He also claims that this led to significant time spent to mitigate the issue. Class members may receive up to $250 in cash payments for documented expenditures related to this incident, and up to $2,500 for documented identity theft loses or fraudulent charges, as well as up to $30 for undocumented time spent. All class members will also receive 12 months of free credit monitoring.

In a recent Private Industry Notification to the higher education sector, the FBI warned that U.S. college and university credentials are being advertised “for sale on online criminal marketplaces and publically [sic] accessible forums.”

The Notification warns that the exposure of credentials and network access information, “especially privileged user accounts, could lead to subsequent cyber-attacks against individual users or affiliated organizations.”

One of the threats listed included that:

As of January 2022, Russian cyber criminal forums offered for sale or posted for public access the network credentials and virtual private network accesses to a multitude of identified US-based universities and colleges across the country, some of which included screenshots as proof of access. Sites posting credentials for sale typically listed prices varying from a few to multiple thousands of US dollars.”

The FBI recommends that colleges and universities stay in close contact with the Bureau so it can assist in the event of an attack. It also provides a list of 11 bulleted items to mitigate the risk.

Last week, China announced its launching of the world’s first crewless drone carrier, which operates using artificial intelligence to navigate open water autonomously. The Chinese government has said that this vessel will be used as a maritime research tool, but many skeptics suggest that it could also be used as a military vessel.

The vessel is about 290 feet long, 45 feet wide and 20 feet deep. It can carry dozens of drones equipped with various observation instruments for air, sea, and underwater. The vessel can also be used to collect data. From a scientific standpoint, China’s drones could collect data from both the surface and subsurface for use in disaster mitigation and environmental monitoring – all without a crew or any direct human interaction on the vessel.

Technologies like this drone-carrying, AI-equipped vessel have dual use applications. In addition to scientific research, such technologies can be used to conduct surveillance and domain awareness.

Vessels like this will transform ocean observation and data collection abilities from the sea. It utilizes the “Intelligent Mobile Ocean Stereo Observing System” which was developed by the Southern Marine Science and Engineering Guangdong Laboratory. It can be controlled remotely and is capable of traveling up to 18 knots per hour (i.e., 20 mph).

The vessel has been unveiled, but China will continue to conduct sea trials before its official use and maiden voyage later in 2022.

According to the 2022 State of Ransomware Report issued recently by Sophos, it surveyed 5,600 IT professionals from 31 countries, including professionals in the health care sector. Those professionals in the health care sector shared that 66 percent of them had experienced a ransomware attack in 2021, which was an increase of 69 percent over 2020. This was the largest increase of all sectors surveyed.

If you look at the Office for Civil Rights data breach portal, you will see that a vast majority of breaches reported by health care providers and business associates are related to “Hacking/IT incident.” This confirms that the health care sector continues to be attacked by threat actors seeking to steal protected health information of patients.

If you are a patient who receives a breach notification letter from a health care provider or business associate, the letter will provide guidance on how to protect yourself following a data breach and may offer some protection guidance, including credit monitoring or fraud resolution. Such a letter has been sent to patients to comply with the breach notification requirements of HIPAA and state law. Part of those requirements includes that the patients be provided mitigation steps following the breach to protect themselves from fraud. Avail yourself of these protections in the event your information is compromised. Take the time to sign up for the mitigation offered. It is clear that these attacks will not subside any time soon.

Ramping up its continued focus on data privacy, on June 8, 2022, Colorado Governor Jared Polis signed into law legislation aimed to limit the use of facial recognition technology by government agencies and state institutions of higher education.

The legislation, SB 113, requires an agency – defined as “an agency of the state government or of a local government; or a state institution of higher education,” that intends to “develop, procure, use or continue to use facial recognition service” – to provide notice of intent to use those services with its “reporting authority” prior to using the technology.

The notice must provide details of the vendor to be used, the capabilities and limitations on the use of the facial recognition technology, the type of data collected by the technology, how data will be collected and processed, the purpose of the use and the benefits of the proposed use of the technology. In addition, the notice must provide information on how the data will be stored and secured, what policies will govern the information collected and testing and reporting of “false matches, potential impacts on protected subpopulations, and how the agency will address error rates that are determined independently to be greater than one percent.”

The law requires agencies and state institutions of higher education to provide an accountability report on how the use of facial recognition impacts civil rights and liberties, “including potential impacts to privacy and potential disparate impacts on marginalized communities, including the specific steps the agency will take to mitigate the potential impacts” and how it will receive feedback on the use of the technology. Agencies are required to submit an accountability report prior to deploying the technology and allow public review and comment, including three public meetings. The accountability report is required to be published publicly at least 90 days prior to deploying the technology.

The law requires users of facial recognition technology in an agency to be trained on its use and sets forth certain limitations and prohibitions on the use of the technology by law enforcement. It also prohibits the use of facial recognition services by any public school, charter school or institute charter school until January 1, 2025. The law is dense in its requirements and goes into effect on August 10, 2022.

A joint advisory issued June 7, 2022, by the Cybersecurity & Infrastructure Security Agency, FBI and the National Security Agency entitled “People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices,” warns that Chinese-Sponsored cyber actors are exploiting “publicly known vulnerabilities in order to establish a broad network of compromised infrastructure.” The entities attacked by the hackers include “public and private sector organizations” including telecommunications companies and network service providers.

The top vulnerabilities exploited by the attackers include “Common Vulnerabilities and Exposures (CVEs)-associated with network devices routinely exploited by the cyber actors since 2020,” including “unpatched network devices.”

According to the Alert, “These cyber actors are also consistently evolving and adapting tactics to bypass defenses. The NSA, CISA, and FBI have observed state-sponsored cyber actors monitoring network defenders’ accounts and actions, and then modifying their ongoing campaign as needed to remain undetected. Cyber actors have modified their infrastructure and toolsets immediately following the release of information related to their ongoing campaigns. PRC state-sponsored cyber actors often mix their customized toolset with publicly available tools, especially by leveraging tools that are native to the network environment, to obscure their activity by blending into the noise or normal activity of a network.”

The list of CVEs most commonly exploited by the Chinese-based hackers are provided in the Alert. The Alert is meant to “urge” organizations to apply recommended mitigation and detection methods outlined in the Alert and provides resources for more information.

It has been over 18 months since Massachusetts voted to approve an update to the state’s ‘right to repair’ law [view related post], however, the changes have still not gone into effect. Why? Well, the automakers’ lawsuit that seeks to block the law is still making its way through the U.S. District Court. Alliance for Automotive Innovation v. Healy, Docket No. 1:20-cv-12090 D. Mass 2020). As we previously wrote, the ‘right to repair’ law allows consumers to take their car to any repair shop (not just the dealer) and have their mechanic plug a cord into the car’s onboard computer system to figure out what’s wrong with the car, or, alternatively, a consumer can buy a device and do this themselves. This has still not been implemented due to this pending lawsuit. However, now, in a recent brief filed by the Massachusetts Right to Repair Coalition, lawyers called for a “prompt decision” in this lawsuit and allege that automakers are using “delay tactics in order to avoid and prevent the implementation of ‘right to repair’ laws.” Specifically, the brief stated, “Undoubtedly, delays are an inevitable part of litigation [. . .] But delay has also been an integral part of auto manufacturers’ strategy in frustrating the ongoing efforts of consumers and independent repair shops to obtain fair and equitable access to diagnostic data needed to maintain and repair vehicles.”

In April 2022, Judge Douglas Woodlock announced he needed additional time to release his ruling following a June 2021 bench trial, due to his “demanding” criminal trial schedule, the recommencement of non-trial proceedings, and other responsibilities. Judge Woodlock informed the parties to the suit that he would complete his finding and ruling by July 1, 2022.

The lawsuit claims that the updates to the right to repair law creates “an impossible task” for automakers to equip new vehicles (beginning with model year 2022) with “an inter-operable, standardized, and open access platform.” However, counsel for the Right to Repair Coalition wrote in its recent brief that this delay in implementing the law is detrimental to the repair and aftermarket industry (including the 40,000 or so workers who are employed in those industries), as well as consumers. The brief cites a 2020 study of repair costs in Massachusetts that shows that dealers are 36.2% more expensive than independent repair shops. Further, the brief states, “Owners are being turned away by repair shops that simply cannot fix their cars [. . . ] The result is that the viability of the independent repair market is already being significantly harmed, and this harm will only be exacerbated by the passage of time.” The July 1st ruling promised by Judge Woodlock is quickly approaching. We will keep you updated.

Actor and comedian Seth Green, best known for creating Robot Chicken and portraying Dr. Evil’s son in the Austin Powers franchise, announced on Twitter last month that phishers stole his four “Bored Ape” NFTs. Let’s break down that mouthful: NFTs are a blockchain technology that creates indisputable ownership records that the art world has embraced as a way to buy and sell digital artwork. “Bored Apes” are a specific line of NFTs depicting original characters based on – you guessed it – bored apes.

Art theft is nothing new, but NFTs turn these existing precedents upside down. Traditional artwork is valuable because it’s unique and exclusive, and NFTs attempt to impose this uniqueness onto digital works. When a thief steals a painting, it’s gone. The underlying asset still exists when they steal an NFT, and anyone can still make infinite copies. Instead of stealing the pieces themselves, the thieves stole Green’s IP rights in the asset.

The stolen NFTs featured original characters that Green had developed into a television show. Unfortunately, the thief immediately flipped the pilfered monkeys to another presumably unsuspecting individual for $200,000. Green’s show has paused development, and likely won’t see the light of day unless he settles with the user who purchased the stolen NFTs. Green indicated that he was ready to take the issue to court and “set precedent” if that doesn’t work.

This case should be a lesson for artists and investors considering linking their IP to the blockchain: Copyright law already protects the legal rights of owners, and NFTs may not. While NFTs are incredible for recording title and provenance, treating them as commodities is inherently risky.