The Federal Bureau of Investigations (FBI) recently issued a joint alert with the Department of Homeland Security/Cybersecurity Infrastructure and Security Agency (CISA) that “Mamba ransomware has been deployed against local governments, public transportation agencies, legal services, technology services, industrial, commercial, manufacturing, and construction businesses.”

According to the Alert, the hacking group behind the Mamba ransomware attacks is weaponizing an open source tool used for disc encryption—DiskCryptor—to encrypt entire operating systems of victims. Once the operating system has been encrypted, a ransom note appears and demands payment for the decryption key.

The Alert states, “[T]he ransomware program consists of the open source, off-the-shelf, disk encryption software DiskCryptor wrapped in a program which installs and starts disk encryption in the background using a key of the attacker’s choosing….The ransomware extracts a set of files and installs an encryption service. The ransomware program restarts the system about two minutes after installation of DiskCryptor to complete driver installation.”

The Alert lists the key artifacts, which can be accessed here.

The FBI recommends the following mitigation:

  • Regularly back up data, utilize air gap network security measures, and password protect backup copies offline. Ensure that copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Implement network segmentation.
  • Require administrator credentials to install software.
  • If DiskCryptor is not used by the organization, add the key artifact files used by DiskCryptor to the organization’s execution blacklist. Any attempts to install or run this encryption program and its associated files should be prevented.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
  • Install updates/patch operating systems, software, and firmware as soon as they are released.
  • Use multifactor authentication where possible.
  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.
  • Disable unused remote access/RDP ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Install and regularly update anti-virus and anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.

Applus Technologies, Inc., a vendor of multiple state Departments of Motor Vehicles that assists states with vehicle inspections, recently announced that its systems have been affected by malware, disrupting motor vehicle inspections in Connecticut, Georgia, Idaho, Illinois, Massachusetts, New York, Texas, and Utah. As a result of the outage, vehicle inspections have not been able to be completed since March 30, 2021.

This is obviously very inconvenient for those individuals whose inspection stickers have or will expire shortly, as they are at risk of being issued a citation for an expired inspection sticker, on top of having to take time off to take their car to get inspected.

To address this concern, the Massachusetts Registry of Motor Vehicles (RMV) said, “[R]ecognizing the inconvenience Applus’ outage is causing, the RMV has been in communication with law enforcement to request cooperation and discretion in citing those with an expired sticker who may have attempted to visit a station this week.” The RMV has extended a grace period of one month to drivers who were unable to get their inspection stickers because of the outage.

After inspections were delayed a week, on April 7, 2021, Applus forwarded a software patch to service stations to try to fix the problem. However, it is being reported that Applus forwarded the patch to service stations on flash drives! Flash drives are notorious for being used to plant malicious malware and ransomware in users’ systems. Sending a patch on a flash drive is completely contradictory to security best practices.

Applus has stated that it does not believe that any customer (i.e., service station) financial information has been compromised, but is working with a forensic expert.

Lesson learned: get your inspection sticker in plenty of time before it expires.

The California Attorney General recently approved modified regulations under the California Consumer Privacy Act (CCPA). One part of the modified regulations bans “dark patterns” on a website. What are dark patterns? Public comments to the proposed regulations describe dark patterns as deliberate attempts to subvert or impair a consumer’s choice to opt-out on a website. Dark patterns could be used on a website to confuse or distract a consumer into granting knowing consent instead of choosing the opt-out option.

The modified regulations therefore ban the use of dark patterns that:

  • Use an opt-out request process that requires more steps than the process for a consumer to opt back into the sale of personal information after previously opting out;
  • Use confusing language (e.g., double-negatives, “Don’t Not Sell My Personal Information”);
  • Require consumers to click through or listen to unnecessary reasons why they should not submit a request to opt-out before confirming their request;
  • Require a consumer to provide personal information that is unnecessary to implement an opt-out request; or
  • Require a consumer to search or scroll through the text of a website or privacy policy to submit the opt-out request after clicking the “Do Not Sell My Personal Information” link (but before actually choosing the option).

If your website uses any such dark patterns you may wish to revise those mechanisms and implement clearer, more transparent methods for your website’s users to opt-out.

On April 6, 2021, DocuSign issued an Alert notifying users of a new malicious hacking tool that is mimicking DocuSign to drop malware into victims’ systems. According to the Alert, the document building tool, dubbed “EtterSilent,” “creates Microsoft Office documents containing malicious macros or attempts to exploit a known Microsoft Office vulnerability (CVE-2017-8570) to download malware onto the victim’s computer. This activity is from malicious third-party sources and is not coming from the DocuSign platform.”

The Alert further states “[T]o date, the malicious documents have been observed to deliver many different malware families such as Trickbot, QBot, Bazar, IcedID and Ursnif. These types of maldocs are typically delivered to victims via phishing attacks.”

DocuSign provides the Indicators of Compromise in the Alert, which can be accessed here.

Since EtterSilent is released using macros, it is worth alerting company users that downloading macros is highly suspicious, and that they may wish to reach out to information technology professionals before downloading macros included in a document or link. If a company routinely uses DocuSign, alerting users to this scheme may help them avoid becoming a victim.

United Parcel Service (UPS) announced this week that it will test electric vertical takeoff and landing aircraft (eVTOLs) for package delivery. UPS purchased 10 eVTOL from Beta Technologies (Beta), which it plans to test for use in its Express Air Delivery network. These eVTOLs are set to be delivered to UPS in 2024, pending certification from the Federal Aviation Administration (FAA). Beta Technologies also plans to provide landing pads and rechargeable batteries. With just a single charge, the eVTOLs can fly up to 250 miles at 170 miles per hour.

All testing and operation of the eVTOLs will be done under Beta’s Flight Forward division, which is tasked with research and development for package delivery by drone.

Vice President for UPS’s Advanced Technology Group, Bala Ganesh, said “We can see a future where [the eVTOLs are] carrying, let’s say 1,000 pounds, 1,500 pounds to rural hospitals,” and landing on a helipad instead of at an airport.

However, there will be some literal obstacles in the way. For example, delivery by eVTOLs in a busy, congested city like New York might restrict some use. UPS says it may not be a one size-fits-all solution, but that the willingness to pay and urgency of need could mean that UPS would find a safe way for the eVTOLs to get there.

UPS said it initially plans to use them in smaller markets and create a series of short routes or one long route to meet customer needs. However, these eVTOLs can increase efficiency and sustainability, while reducing costs.

How many times can we say that the Internal Revenue Service (IRS) will NOT email or telephone you? We will say it again. If you receive a telephone call, email or text from someone saying they are from the IRS, it is A SCAM. It’s that simple. If you don’t believe me, check out the IRS website which will this fact.

Imposters, fraudsters, and scammers have been launching scams scaring people into believing that they owe money or back taxes to the IRS for years, including threatening victims with arrest and jail.

Instead of relying on that old trick, the fraudsters are now targeting students and faculty with .edu emails with tag lines like “Tax Refund Payment” or “Recalculation of your tax refund payment.”

Students and faculty with .edu emails in higher education should know better, but unfortunately, the Federal Trade Commission has had to issue a warning to students and faculty that they are being targeted because some victims have been scammed.

If a victim clicks on the link to submit a form to receive the tax refund from the “IRS,” the form requests highly sensitive and useful information to the scammers to perpetrate identity theft, including name, address, Social Security number, driver’s license number, electronic filing PIN, and last year’s income. This is all information that can be easily used to file a fraudulent tax return in your name.

Don’t fall for any emails, telephone calls, or texts that say they are from the IRS. Delete, delete, delete! The IRS DOES NOT email, call, or text.  It is prime season for tax return and refund fraud, so be cautious and vigilant to protect yourself.

The FBI recently issued a Flash Alert warning higher education institutions, K-12 schools, and seminaries about increasing numbers of ransomware attacks affecting the education industry. According to the warning, “Since March 2020, the FBI has become aware of PYSA ransomware attacks against US and foreign government entities, educational institutions, private companies, and the healthcare sector by unidentified cyber actors.”

The ransomware attacks are initiated by gaining unauthorized access to networks either by exploiting Remote Desktop Protocol (RDP) credentials or phishing. The PYSA ransomware then extracts sensitive information and encrypts files with the .pysa extension. In some circumstances, the attackers sell the extracted information on the dark web. The FBI reports that some criminals also remove the malicious files after deployment, thus making it even more difficult for the victims to discover what has happened.

The FBI does not recommend paying any ransom as that emboldens and encourages more criminal conduct. Acknowledging that many educational institutions might choose to pay after determining few other options exist, the FBI points out that there is no guarantee paying any ransom will result in the return of the data.

The FBI also suggests schools implement mitigation steps as follows:

  • Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Implement network segmentation.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
  • Install updates/patch operating systems, software, and firmware as soon as they are released.
  • Use multifactor authentication where possible.
  • Regularly, change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.
  • Disable unused remote access/RDP ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Install and regularly update anti-virus and anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
  • Consider adding an email banner to messages coming from outside your organizations.
  • Disable hyperlinks in received emails.
  • Focus on awareness and training. Provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).

Gardiner v. Walmart provided some guidance as to the specificity required to state a claim under the California Consumer Privacy Act (CCPA) and the types of damages that may be recoverable for breaches of California consumer data. On July 10, 2020, Lavarious Gardiner filed a proposed class action against Walmart, alleging that unauthorized individuals accessed his personal information through Walmart’s website. Although Walmart never disclosed the alleged breach or provided any formal notification to consumers (and maintains that no breach occurred), Gardiner claimed that he discovered his personal information on the dark web and was told by hackers that the information came from his Walmart online account. He also claims that by using cybersecurity scan software he discovered many vulnerabilities on Walmart’s website.

Gardiner claimed Walmart violated the CCPA and California’s Unfair Competition Law. In response, Walmart filed a motion to dismiss, which was granted on March 5, 2021 (of note – with leave to amend). While Gardiner has now amended his complaint, the court’s ruling on Walmart’s motion to dismiss addresses some important points related to data breach class actions, including:

  • The compliant MUST state when the alleged breach occurred. Gardiner had only alleged that his information was on the dark web, not when the breach actually occurred. The court also stated that for purposes of a CCPA claim, the relevant conduct is the actual data breach resulting from a “failure to implement and maintain reasonable security procedures and practices.” This means that the breach must have occurred on or after January 1, 2020, the effective date of the CCPA.
  • The complaint must sufficiently allege disclosure of personal information. Gardiner had only alleged that his credit card number was disclosed, but had not alleged that his 3-digit access code was affected.
  • Plaintiff’s damages arising from a data breach MUST not be speculative -this is common across courts that dismiss class action data breach suits. Here, Gardiner had not alleged that he incurred any fraudulent charges or suffered any identity theft or other harm.

The court also dismissed Gardiner’s unfair competition claims that were based on a benefit of the bargain theory.

The court also addressed the disclaimers in Walmart’s privacy policy.; Walmart argued that Gardiner’s contract-based claims were barred by the its website Terms of Use, which included a warranty disclaimer and limitation of liability for data breaches. The court said that the limitation of liability was clear and emphasized with capitalization, which put Gardiner on notice of its contents. This is an important part of the decision for ANY company with online presence -a company’s website Privacy Policy and Terms of Use could be the final line of defense.

Gardiner has since his complaint. Whether the amendments will avoid another motion to dismiss is unknown. Still, this decision provides valuable insight for claims made under the CCPA and important lessons about website Privacy Policies and Terms of Use.

Continuing its serious march against covered entities not allowing patients access to their records, the Office for Civil Rights (OCR) has settled two more cases in two days in its Right of Access Initiative. This brings the tally of OCR’s settlements to a total of 18.

The 17th settlement, with The Arbour, Inc., d/b/a Arbour Hospital (Arbour,), was announced by the OCR on March 24, 2021. The settlement includes a payment of $65,000 and an agreement to enter into a corrective action plan. In that case, the OCR received a complaint in July of 2019 from a patient who alleged that Arbour failed to provide the patient with a copy of the patient’s records.  The request was received by Arbour  in May of 2019.

The OCR provided technical assistance to Arbour, but then received a second complaint from the patient that Arbour still had not provided the patient with the records.

The patient didn’t receive the records until November of 2019. OCR determined “that Arbour’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard, which requires a covered entity to take action on an access request within 30 days of receipt (or within 60 days if an extension is applicable.)” In this case, Arbour did not provide the patient with the records for more than five months after the request.

Two days later, on March 26, 2021, the OCR announced it had completed its 18th investigation in the HIPAA Right of Access Initiative when it settled with Village Plastic Surgery (VPS). That settlement included a payment of $30,000 and an agreement to enter into a corrective action plan.

That investigation started after a patient complained in September of 2019 that VPS failed to respond in a timely manner to the patient’s request made in August of 2019. The OCR initiated its investigation and “determined that VPS’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard” because VPS did not provide the patient with the records within 30 days. According to the OCR’s press release, “OCR’s Right of Access Initiative continues to support and enforce individuals’ vital right to receive copies of their medical records in a timely manner.”

As with most OCR settlements, these provide a stark reminder that covered entities may wish to revisit processes in place to provide medical records to patients when they are requested, so the requests are responded to in a timely manner.

State and local governments have been hammered with business email compromise (BEC) attacks over the past few years and the onslaught does not appear to be abating.

Last week, the Federal Bureau of Investigation (FBI) issued a Private Industry Notification to state, local, tribal, and territorial governments that they are being targeted by BEC attackers. The FBI noted that it is seeing an increase in these attacks, which have caused losses ranging between $10,000 and $4 million.

According to the FBI, state and local governments are low hanging fruit that scammers target because they have inadequate resources and cybersecurity controls. The FBI cites two risks as contributing to these attacks: the move to remote working and the failure to provide sufficient training to the workforce.

The FBI urged all members of the workforce to receive security awareness training, to learn how BEC attacks occur, and how to spot phishing and fraudulent emails. The FBI further suggested that additional measures for state and local governments to adopt include multi-factor authentication on email accounts, blocking automatic email forwarding, monitoring email Exchange servers for configuration changes, enabling alerts for suspicious activity (including foreign IP address logins), adding banners from external sources, and using filtering service (spam filter) as well as internal phishing tests. The FBI Alert is worth a read and can be accessed here.