On July 28, 2021, the Cybersecurity & Infrastructure Security Agency (CISA) issued a cybersecurity alert entitled “Top Routinely Exploited Vulnerabilities” in collaboration with the Australian Cyber Security Centre, the United Kingdom’s National Cyber Security Centre, and the FBI.

The Alert concludes that cyber criminals are exploiting vulnerabilities in unpatched systems, but that many of the vulnerabilities that criminals are exploiting recently are those that have already been disclosed (and should have already been patched) over the past two years. This means that companies are not patching against well-known vulnerabilities and leaving themselves at risk.

In addition, a remote workforce has contributed to the exploitation of vulnerabilities. According to the Alert, “[T]he rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching.” CISA points out that “four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies.”

The Alert contains a table of the “top Routinely Exploited CVEs in 2020” which lists 12 vulnerabilities, including the type of vulnerabilities that are being exploited in the wild, and states that “malicious cyber actors will most likely continue to use older known vulnerabilities, …as long as they remain effective and systems remain unpatched.”

Therefore, CISA and the FBI are encouraging organizations “to remediate or mitigate vulnerabilities as quickly as possible to reduce the risk of exploitation. Most can be remediated by patching and updating systems. Organizations that have not remediated these vulnerabilities should investigate for the presence of IOCs and, if compromised, initiate incident response and recovery plans.”

The point of the Alert is that companies that have not patched known vulnerabilities continue to be at risk as cyber criminals are always going to take the easy path to crime. They would rather get into an unlocked house than try to bust through a locked door or window.

Take a look at the Alert and confirm that the known vulnerabilities are patched already, and if not, make the patching of these vulnerabilities high priority.

Earlier this week, Apple issued another patch—this one is said to address a reported vulnerability that “an application may be able to execute arbitrary code with kernel privileges.” According to Apple, it “is aware of a report that this issue may have been actively exploited.” According to reports, this is the 13th zero-day vulnerability Apple has issued a patch for in 2021.

The most recent patches, iOS 14.7.1 and Big Sur 11.5.1, are able to be applied by going into the Settings on your mobile phone or other Apple mobile device, then click on the “General” setting, then the “Software Update” setting, then apply the 14.7.1 update. Plug your phone in before you apply the patch and follow the directions.

Let your employees know to do the same on their mobile devices if you allow employees to use their phones or iPads for business purposes.

Following patching updates are crucial for risk management on both a personal and professional level and spreading the word is helpful in that risk management process.

Today, the National Transportation Safety Board (NTSB) investigates accidents involving manned aircraft and other major transportation accidents. However, there was a new Notice of Proposed Rule Making (NPRM) released by the NTSB which seeks to revise the agency’s authority to include investigations related to drone accidents. The NTSB is only authorized to investigate drone accidents if the drone weighs over 300 pounds. However, the NPRM would remove this weight limit and replace it with any drone that has “an airworthiness certificate” or meets other “airworthiness approval requirement[s].” Why? Well, the NPRM says, “The weight threshold is no longer an appropriate criterion because unmanned aircraft systems (UAS) under 300 lbs. are operating in high-risk environments, such as beyond line-of-sight and over populated areas. The proposed definition will allow the NTSB to be notified of and quickly respond to UAS events with safety significance.”

In response to the NPRM, the Association for Unmanned Vehicle Systems International (AUVSI) commented that as the Federal Aviation Administration  and the drone industry work to define and develop type certifications, this definition under the NTSB’s investigation authority could be an overly broad definition.  Instead, AUVSI suggested that the NTSB add the filter of “substantial damage” to the accidents that they investigate. A portion of AUVSI’s comment read:

“The category of UAS that hold an airworthiness certificate or approval is very broad and will continue to expand as the industry evolves. New technologies and construction materials, including light-weight and frangible materials, ensure that small UAS are purposefully built to lessen any impact and damage to the public, other aircraft, or to property.”

Instead, the AUVSI suggested that the NTSB maintain a maximum takeoff weight with a tie to the “substantial damage” clause. AUVSI also recommended refining the proposed language to coincide with the FAA’s Part 107 Rule (14 CFR 107) accident-reporting language. AUVSI said in its comment, “Specifically, we propose the condition to specify that these accident investigations are only undertaken if the cost of repairs exceeds $500 and/or the fair market value of property damage exceeds $500, as is the case in the Accident Reporting clause of §107.9 This will ensure that the NTSB’s authority is targeted in a cost effective manner that yields true benefits to aviation safety.”

Lastly, the AUVSI said in its comments that the NTSB should also clarify that an accident investigation is not required when the UAS “acts as intended as defined by the airworthiness certificate or approval, even if damage is incurred,” which again aligns with the FAA’s standards.

These comments coincide with the industry’s overarching push for risk-based rules consistent across all government agencies. It is certainly a work-in-progress.

Security researchers from Avast have discovered that “Crackonosh” malware has been installed on free versions of some popular online games for the purpose of cryptomining. It is believed to be sourced from a Czech author.

Avast reports that the malware may be included in free (often pirated) versions of well-known games such as NBA2K19, Grand Theft Auto, Jurassic World Evolution, Far Cry 5 and The Sims 4. If gamers obtain these versions of the game and the malware is present in the game, the malware uses the gamer’s computer power to cryptomine. But first it disables or uninstalls any security software that may be running on the computer. This is troubling in and of itself.

It is being reported that the malware has generated more than $2 million of monero cryptocurrency in the last three years from more than 22,000 users worldwide. The infection signs to watch for are a higher electricity bill and a slow computer.

The lesson is obviously not to steal software or obtain pirated games.  It’s illegal. According to Avast, “[T]he key take-away from this is that you really can’t get something for nothing and when you try to steal software, odds are someone is trying to steal from you.”

The Florida Department of Economic Opportunity (DEO) recently announced that it discovered on July 16, 2021 that its online unemployment benefit system, CONNECT was compromised, potentially affecting personal information of 57,000 accounts.

The information that may have been accessed in the incident includes individuals’ “personal details” including “social security number, driver’s license number, bank account numbers, claim information, and other personal details, such as address, phone number, and date of birth.”  On top of that, the threat actor(s) also “may have acquired the account PIN that claimants use to access their CONNECT account.”

Following the incident, the DEO stated that it locked the targeted accounts, “improved PIN security controls,” notified the affected individuals, and provided one year of identity protection services for those claimants who were affected by the incident.

It is concerning to think how the threat actors can use this information to file for unemployment benefits in other states, particularly with the rash of fraudulent unemployment benefit claims that have surfaced during the pandemic.

The U.S. Transportation Security Administration (TSA) issued its second Security Directive to the pipeline industry on July 20, 2021, following the Colonial Pipeline cybersecurity incident. The first Directive on May 27, 2021, required pipeline owners and operators to notify CISA of cyber incidents, designate a cyber coordinator for the company, and review their cybersecurity program.

According to TSA, the second Directive “requires owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas to implement a number of urgently needed protections against cyber intrusions.”

TSA further stated, “[T]his Security Directive requires owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.”

On July 19, 2021, the Federal Bureau of Investigations issued a Private Industry Notification to service providers and “entities associated with the Tokyo 2020 Summer Olympics that cyber actors who wish to disrupt the event could use distributed denial of service (DDoS) attacks, ransomware, social engineering, phishing campaigns, or insider threats to block or disrupt live broadcasts of the event, steal and possibly hack and leak or hold hostage sensitive data, or impact public or private digital infrastructure supporting the Olympics.”

According to the Notification, “Malicious activity could disrupt multiple functions, including media broadcasting environments, hospitality, transit, ticketing, or security.”

The Notification points out that large events attract extra attention from cyber criminals and nation-state actors such as the attacks during the 2018 PyeongChang Winter Olympics. The FBI indicted Russian-based actors for intrusions during the Winter Olympics, including one that disrupted the Opening Ceremony.

The FBI encourages “service providers and other relevant partners to maintain business continuity plans to minimize essential service interruptions, as well as preemptively evaluate potential continuity and capability gaps…the FBI encourages regularly monitoring networks and employing best practices.” The Notification then provides details on what those best practices are.

Frankly, the list of best practices provided by the FBI are best practices for all companies, including those supporting the Tokyo Olympics.

This week, the Department of Homeland Security’s inspector general said in an oversight report that U.S. Customs and Border Protection (CBP) officials have failed to use adequate cybersecurity measures and safeguards to protect travelers’ data. The report says that from July 2017 to December 2019, personal data was left vulnerable to hackers in the Mobile Passport Control (MPC) app used by over 10 million U.S. and Canadian citizens. Specifically, the agency did not conduct security and privacy reviews/assessments, nor implement protective hardware/ software settings.

The report surmises, “Unless CBP addresses these cybersecurity vulnerabilities, MPC apps and servers will remain vulnerable, placing travelers’ [personal information] at risk of exploitation.”

The Office of the Inspector General made the following eight recommendations, which the CBP agreed to implement:

1: Update policies and procedures to ensure CBP scans all app update versions and that they are scanned prior to release by developers.

2: Update policies and procedures to codify scan processes and define the roles and responsibilities necessary to ensure scans are complete as required, and review those scan results for vulnerabilities.

3: Update the policies and procedures to include processes to conduct required security and privacy compliance reviews on a specific schedule and timeframe, track reviews completed, and centrally store review documentation.

4: Receive all necessary information from developers to complete an adequate privacy and security assessment.

5: Develop a capability to review access logs, define the periodic review time frame, and perform the required reviews according to the defined time frame.

6: Complete the required privacy evaluation review.

7: Update the policies and procedures to include a process to conduct internal audits and perform the required audits.

8: Adhere to DHS policy and fully implement the Defense Information Systems Agency Security Technical Implementation Guide control categories for the servers supporting the MPC program, request waivers as appropriate, or fully document any exception obtained when deviating from policy requirements.

View the full report here.

This week, a North Carolina federal judge denied Filters Fast LLC’s motion to dismiss a proposed data breach class action, ruling that the plaintiffs demonstrated adequate harm to satisfy Article III standing.

The class action stems from a data breach that occurred between July 2019 and July 2020 through Filters Fast’s shopping website. Plaintiffs claim that the breach occurred as a result of Filters Fast’s negligence.

Filters Fast moved to dismiss the proposed class action, arguing that the customers could not establish standing to sue in federal court because they did not assert any concrete harm. However, the court agreed with the plaintiffs who had alleged misuse of their payment cards as a result of the breach. While the plaintiffs did not allege an economic injury as a result of this breach, the plaintiffs did show misuse of their personal data, the court said in its decision.

The court wrote, “These allegations of actual misuse bring the ‘actual and threatened harm’ alleged by Plaintiffs ‘out of the realm of speculation and into the realm of sufficiently imminent and particularized harm.’” This is a lower standard than some other data breach class action cases currently being litigated so we will watch to see how the case proceeds.

In addition to facing this proposed class action, Filters Fast entered into a $200,000 settlement agreement with the New York Attorney General as a result of an investigation by the state related to the same breach.

An Urban Air Mobility (UAM) company, Wisk, announced its new partnership with NASA to assist with safely integrating autonomous aircraft systems at a national level. Wisk joins NASA as part of NASA’s Advanced Air Mobility National Campaign strategy in order to assist with the preparation and development of guidance for UAM operations. Wisk aims to assist NASA in addressing some of the biggest challenges like certification and standards development. Without industry stakeholders as active participants in this process, it will halt this automated aviation technology from national expansion and implementation.

The first goal of this partnership is to address critical National Campaign safety scenarios. This will include autonomous flight and contingency management, collision avoidance and flight path management. Additionally, NASA and Wisk aim to evaluate architectures, perform simulation studies, and develop a validation framework that others can use for assessments of autonomous flight. In order to build a safe, effective, and efficient system, NASA and Wisk will work with industry standards organizations for guidance on airspace structure, flight procedures, minimum performance requirements, and other standards that may influence the future of autonomous systems. Be on the lookout for these guidelines and standards.