The Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI), the National Security Agency, and other international partners, issued an Alert on September 5, 2024, warning that cyber actors affiliated with the Russian military are targeting critical infrastructure, government services, financial services, transportation systems, energy, and healthcare sectors of NATO members.

The Alert warns that Unit 29155 cyber actors affiliated with the Russian military are collecting information for “espionage purposes, reputational harm caused by the theft and leakage of sensitive information, and systematic sabotage caused by the destruction of data.” The cyber actors of Unit 29155 have been assessed as officers of the GRU and are being assisted by “known cyber-criminals.” Some of the threat group names associated with these actors include Cadet Blizzard, Ember Bear, Frozenvista, UNC2589, and UAC-0056.

Unit 29155 is believed to be responsible for WhisperGate against Ukraine and is involved in attacking numerous members of NATO. “The activity includes cyber campaigns such as website defacements, infrastructure scanning, data exfiltration, and data leak operations. These actors sell or publicly release exfiltrated victim data obtained from their compromises.”

The FBI has detected more than 14,000 instances of domain scanning and “have defaced victim websites and used public website domains to post exfiltrated victim information.”

The Alert details the tactics, techniques, and procedures the threat actors use. To mitigate this, the Alert urges organizations to:

  • Prioritize routine system updates and remediate known exploited vulnerabilities.
  • Segment networks to prevent the spread of malicious activity.

Enable phishing-resistant multifactor authentication (MFA) for all externally facing account services, especially for webmail, virtual private networks (VPNs), and accounts that access critical systems.

Should kids be on social media? At what age? Should parents monitor their conversations on those platforms? Do parental controls work? These are questions facing many parents and guardians, especially with the increasing use of social media platforms by kids and teens. The Pew Research Center reported that 58% of teens are daily users of TikTok, and 50% of teens use Snapchat and Instagram daily.

With kids using social media platforms so frequently, concern is growing about their effects on adolescents. That concern comes not only from parents but lawmakers, too. Lawmakers have conducted multiple congressional hearings on online safety for children, but even with bipartisan agreement, drafting and implementing laws takes time.

While there is already technically a law that prohibits children under the age of 13 from using online platforms that advertise to them and collect their data without parental consent (Children’s Online Privacy Protection Act (COPPA)), it went into effect almost 25 years ago. The goal of COPPA was to protect children’s online privacy by requiring transparency in data collection with disclosures in privacy policies and to obtain consent before collecting personal information from children under the age of 13. To comply with COPPA, most social media companies simply ban children under the age of 13 from using the service at all.

However, times have changed, and online privacy is no longer the only concern when it comes to children’s use of social media platforms. Now, there are concerns like cyberbullying, harassment, the risk of developing eating disorders, and suicidal thoughts. New York Attorney General Letitia James said, “Young people across our country are struggling, and …addictive social media algorithms are only making th[e] mental health crisis worse.” Attorney General James’s statement comes after 42 state Attorneys General wrote a letter this week urging Congress to require labels on social media platforms to warn of the potential risks to children.

This push comes after a June New York Times op-ed by U.S. Surgeon General Vivek Murthy, in which he urges lawmakers to require social media platforms to place tobacco-style warning labels on social media to alert users that the platforms can harm children’s mental health. The coalition of 42 Attorneys General endorsed Murthy’s plan in its letter to Congress, stating that such requirements on social media platforms would be only “one consequential step toward mitigating the risk of harm to youth.” The letter further states, “By mandating a surgeon general’s warning on algorithm-driven social media platforms, Congress can help abate this growing crisis and protect future generations of Americans.”

In his op-ed, Murthy cited evidence that adolescents who spend substantial time on social media are at greater risk of facing anxiety and depression, and many teens say the sites have worsened their body images. While many have suggested that more research is necessary before taking action, many state and federal officials voice their concern about the dangers that social media platforms such as Instagram and TikTok can pose to children’s mental health, including by exposing them to bullying, harassment, illicit drugs, and sexually abusive material. For example, in July, the Senate passed legislation that requires tech companies to take “reasonable” steps to prevent harm to children who use their platforms and to expand existing protections for children’s online data. At the state level, several Attorneys General filed a lawsuit against Meta for its use of addictive design features on Instagram and Facebook.

However, this push is also being challenged by tech industry groups and free-speech advocates.

In the state Attorneys General’s letter to Congress, the group stated that a social media warning label “would not only highlight the inherent risks that social media platforms presently pose for young people, but also complement other efforts to spur attention, research, and investment into the oversight of social media platforms.” We will surely see a surge in efforts to better protect children online and on social media platforms—the use is only increasing so the legislative efforts will likely increase, too.

The Centers for Medicare & Medicaid Services (CMS) and the Wisconsin Physicians Insurance Corporation have announced that 946,801 current Medicare recipients are being notified that their personal information may have been exposed during the MOVEit security incident that occurred in 2023. According to CMS, “a vulnerability in the MOVEit software made it possible, between May 27 through 31, 2023, for unauthorized third parties to gain access to Personal Information that was transferred using MOVEit.”

The information present in the files included name, social security number, date of birth, mailing address, gender, hospital account number, dates of service, and Medicare Beneficiary Identifier and/or Health Insurance Claim Number. CMS is providing credit monitoring for 12 months and has other recommendations in the event you receive a notification letter.   

Lehigh Valley Health Network (LVHN) has agreed to settle a class action filed against it following a February 2023 ransomware attack that compromised personal information of patients, including medical and treatment information, health insurance information and, for some individuals, social security numbers, driver’s license numbers, and banking information. For a limited number of individuals, the “clinical images of patients during treatment” were stolen by the ransomware group.

According to SecurityWeek, in March of 2023, “the BlackCat ransomware group published some of the stolen information on its Tor-based leak site,” which included “nude photos of patients.”

SecurityWeek is reporting that the plaintiffs’ law firm has announced that a settlement of $65 million has been reached and is alleging that it is the “largest settlement ever in a healthcare data breach-ransomware case.” The settlement includes payment to every class member between $50 and $70,000. A hearing to determine whether the settlement is approved by the court is scheduled for November 15, 2024.

According to the FBI, it has “seen a huge increase in the number of cases involving children and teens being threatened and coerced into sending explicit images online,” also known as sextortion.

In some cases, the criminal will threaten the teen that they have a revealing picture or video and that they will share the video if the victim doesn’t share more pictures or videos. In most cases, the scheme starts when the victim believes they are communicating with a peer who is interested in a relationship. During the communication, the threat actor requests an explicit picture or video. After the victim unknowingly sends the picture or video, the communication turns, and the threat actor threatens to publish the content unless they are paid sums of money. According to the FBI, “the shame, fear, and confusion children feel when they are caught in this cycle often prevents them from asking for help or reporting the abuse. Caregivers and young people should understand how the crime occurs and openly discuss online safety.”

On September 9, 2024, the Department of Justice announced that four Delaware men have been charged with an international sextortion and money laundering scheme that “targeted thousands of victims throughout the United States, Canada, and the United Kingdom.”

According to the indictment, the four men, residents of Wilmington, Delaware, were “engaged in cyberstalking, interstate threats, extortion, money laundering, and wire fraud. As part of the scheme, the conspirators, utilizing multiple payment methods, attempted to extort approximately $6.9 million from thousands of potential victims, and they successfully extorted approximately $1.9 million from these victims through CashApp and Apple Pay alone.”

The indictment outlines that the four men posed as young females online and communicated with thousands of potential victims. They offered to provide and did provide victims with “sexual photographs, video recordings, and/or ‘web cam’ or ‘live video chat’ sessions depicting what they falsely portrayed to be a young female, when in fact the conspirators were the ones operating the accounts.” They then “surreptitiously recorded the victims as they exposed their genitals and/or engaged in sexual activity.” They then sent the victims copies of the images and threatened to distribute the images to friends, family, significant others, and employers and to distribute them widely over the internet unless the victims paid them. The indictment and details of the scheme are ripe for a frank discussion with teens on safe online practices.

The National Institute of Standards and Technology (NIST) has issued helpful recommendations for consumers to consider when securing home routers.

The publication, issued on September 10, 2024, emphasizes how important it is to secure the router in your home, particularly with the expansion of the smart home, Internet of Things devices, and remote work.

According to the publication, “ensuring the security of routers is crucial for safeguarding not only individuals’ data but also the integrity and availability of entire networks.”

Although the publication is somewhat technical and is intended primarily for manufacturers of consumer-grade routers, it provides useful information for consumers that emphasizes the importance of the security of home routers. The publication outlines the risk associated with home routers if not secured. “A compromised router opens the door to a host of potential exploited vulnerabilities and impacts, ranging from unauthorized access and sensitive information dissemination to the possibility of malicious attacks on connected devices. Ensuring the security of routers is crucial for safeguarding not only individual privacy and safety but also the integrity and availability of entire networks.”

The NIST recommendations for manufacturers of consumer routers is one step in advancing security of home routers. Consumers may wish to consider setting strong unique passphrases for their home routers, and not use the manufacturers’ default password.

The Cybersecurity & Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Defense Cyber Crime Center (DC3) issued a joint alert on August 28, 2024, warning U.S.-based organizations that cyber actors, “known in the private sector as Pioneer Kitten, UNC757, Parisite, Rubidium, and Lemon Sandstorm,” are targeting and exploiting U.S. organizations “across multiple sectors.” Those sectors include “education, finance, healthcare, and defense sectors as well as local government entities.”

The FBI has assessed that these cyber actors are “connected with the Government of Iran (GOI) and linked to an Iranian information technology (IT) company. Their malicious cyber operations are aimed at deploying ransomware attacks to obtain and develop network access. These operations aid malicious cyber actors in further collaborating with affiliate actors to continue deploying ransomware.”

The alert outlines the tactics, techniques, and procedures used by the threat actors and the indicators of compromise. The alert recommends that organizations follow the mitigations provided in the alert to defend against the activity.

A class action complaint was filed against the International Brotherhood of Electrical Workers (IBEW) labor union for a data breach that occurred between March 31 and April 5, 2024. IBEW represents individuals who work in a wide variety of fields, including utilities, construction, telecommunications, broadcasting, manufacturing, railroads, and government. The security incident resulted in unauthorized access to the names and social security numbers of current and former members of IBEW.

This incident resulted from a ransomware attack led by the cybercriminal group BlackSuit, which was part of a larger attack on many other businesses in March 2024. Most recently, this group attacked CDK Global,] a major automobile software vendor, which affected car manufacturers nationwide.

IBEW notified affected individuals of the breach on or about August 5, 2024; the incident was initially discovered on July 3, 2024. The class action complaint, filed in the U.S. District Court for the Eastern District of Missouri, alleges that this “delay” caused harm to the affected individuals.

The lead plaintiff, a retired electrician from Illinois, claims that IBEW’s delay resulted in the loss by the class “of the opportunity to try and mitigate injuries in a timely matter.” Further, in the notification to the affected individuals provided by IBEW, the union disclosed that the incident “created a present, continuing and significant risk of suffering identity theft.”

The complaint further alleges that IBEW failed to follow the Federal Trade Commission’s 2016 guidelines for businesses regarding fundamental data security principles, and that the incident constituted a violation of the federal unfair trade practices act. The complaint also includes allegations that the IBEW acted negligently, breached its implied contract with its current and former members, and violated the Illinois Consumer Fraud Act.

Last year, the American Hospital Association (AHA) sued the U.S. Department of Health and Human Services (HHS) in the U.S. District Court of the Northern District of Texas, requesting that HHS be barred from enforcing a new rule adopted by the Office for Civil Rights entitled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” The guidance prevented health care entities from deploying third-party web technologies that capture IP addresses.

The federal district court ruled in favor of the AHA, holding that the new rule was “promulgated in clear excess of HHS’s authority under HIPAA.” HHS appealed on August 19, 2024, but shortly thereafter rescinded it. Ten days after filing its notice of appeal, HHS withdrew it. The effect of this withdrawal is that the district court order remains in place, and the Office of Civil Rights is prohibited from enforcing the rule. Despite this development, hospitals and health care systems continue to get mired in litigation surrounding the use of pixel technology and continue to grapple with the use of online tracking technology.

Recently, the National Institute of Standards and Technology (NIST) released its second public draft of Digital Identity Guidelines (Draft Guidelines). The Draft Guidelines focus on online identity verification, but several provisions have implications for government contractors’ cybersecurity programs, as well as contractors’ use of artificial intelligence (AI) and machine learning (ML). 

Government Contractor Cybersecurity Requirements

Many government contractors have become familiar with personal identity verification standards through NIST’s 2022 FIPS PUB 201-3, “Standard for Personal Identity Verification (PIV) of Federal Employees and Contractors,” which established standards for contractors’ PIV systems used to access federally controlled facilities and information systems. Among other things, FIPS PUB 201-3 incorporated biometrics, cryptography, and public key infrastructure (PKI) to authenticate users, and it outlined the protection of identity data, infrastructure, and credentials.

Whereas FIPS PUB 201-3 set the foundational standard for PIV credentialing of government contractors, the Draft Guidelines expand upon these requirements by introducing provisions regarding identity proofing, authentication, and management.  These additional requirements include:

Expanded Identity Proofing Models. The Draft Guidelines offer a new taxonomy and structure for the requirements at each assurance level based on the means of providing the proofing, whether the means are remote unattended proofing, remote attended proofing (e.g., videoconferencing), onsite unattended (e.g., kiosks), or onsite proofing.

Continuous Evaluation and Monitoring. NIST’s December 2022 Initial Public Draft (IPD) of the guidelines required “continuous improvement” of contractors’ security systems. Building upon this requirement, the Draft Guidelines introduced requirements for continuous evaluation metrics for the identity management systems contractors use. The Draft Guidelines direct organizations to implement a continuous evaluation and improvement program that leverages input from end users interacting with the identity management system and performance metrics for the online service. Under the Draft Guidelines, organizations must document this program, including the metrics collected, the data sources, and the processes in place for taking timely actions based on the continuous improvement process pursuant to the IPD.

Fraud Detection and Mitigation Requirements. The Draft Guidelines add programmatic fraud requirements for credential service providers (CSPs) and government agencies. Additionally, organizations must monitor the evolving threat landscape to stay informed of the latest threats and fraud tactics. Organizations must also regularly assess the effectiveness of current security measures and fraud detection capabilities against the latest threats and fraud tactics.

Syncable Authenticators and Digital Wallets. In April 2024, NIST published interim guidance for syncable authenticators. The Draft Guidelines integrate this guidance and thus allow the use of syncable authenticators and digital wallets (previously described as attribute bundles) as valid mechanisms to store and manage digital credentials. Relatedly, the Draft Guidelines offer user-controlled wallets and attribute bundles, allowing contractors to manage their identity attributes (e.g., digital certificates or credentials) and present them securely to different federal systems.

Risk-Based Authentication. The Draft Guidelines outline risk-based authentication mechanisms, whereby the required authentication level can vary based on the risk of the transaction or system being accessed. This allows government agencies to assign appropriate authentication methods for contractors based on the sensitivity of the information or systems they are accessing.

Privacy, Equity, and Usability Considerations. The Draft Guidelines emphasize privacy, equity, and usability as core requirements for digital identity systems. Under the Guidelines,  “[O]nline services must be designed with equity, usability, and flexibility to ensure broad and enduring participation and access to digital devices and services.” This includes ensuring that contractors with disabilities or special needs are provided with identity solutions. The Draft Guidelines’ emphasis on equity complements NIST’s previous statements on bias in AI.

Authentication via Biometrics and Multi-Factor Authentication (MFA). The Draft Guidelines emphasize the use of MFA, including biometrics, as an authentication mechanism for contractors. This complements FIPS PUB 201-3, which already requires biometrics for physical and logical access but enhances the implementation with updated authentication guidelines.

Continue Reading NIST Proposes New Cybersecurity and AI Guidelines for Federal Government Contractors