Although a patch has been available by VMware since May 25, 2021, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and Cyber Command this week urged users of VMware to update and apply a fix to software that is used to manage virtual machines in data centers.

The warning states, “Please patch immediately!” It is reported that hackers have already been leveraging the flaw, which allows them to remotely execute code and infiltrate environments running VMware’s server management software. The flaws are in VMware vCenter Server and VMware Cloud Foundation products.

Users and administrators of these VMware products are encouraged to “review VMware’s VMSA-2021-010, blogpost, and FAQs for more information about the vulnerability and apply the necessary updates as soon as possible, even if out-of-cycle work is required. If an organization cannot immediately apply the updates, then apply the workarounds in the interim.”

These urgent warnings from both VMware and CISA merit consideration and prompt attention.

The FBI recently issued a Flash Alert to Fortinet Fortigate users that Advanced Persistent Threat (APT) groups are continuing to exploit devices that have not been patched. Although Fortinet issued patches for these vulnerabilities in 2018, 2019, and 2020, many organizations have not applied the patches.

The exploitations are random,  not against specific industries or sectors, and seem to be focused on just targeting unpatched devices. According to a Joint CISA and FBI alert issued in April 2021, the vulnerabilities could be used by threat actors to exfiltrate data, encrypt data, and stage for additional attacks.

Not patching vulnerabilities in software that is actively being used by your organization is giving threat actors easy access to valuable data, akin to not locking your door and allowing a burglar to enter and steal all your valuables. These are not new vulnerabilities nor are they new patches. Check with your IT professionals to confirm that these patches have been applied.

IT professionals leave room in their schedules for Microsoft’s monthly Patch Tuesday just as I leave room in my schedule every Wednesday night for blog writing. This month’s Patch Tuesday was light on patches compared to other months, but includes six that are designed to patch zero day-related vulnerabilities, four of which are relevant to elevation of privilege flaws.

No question, the ability of threat actors to escalate privileges in a system or application is a major concern for data security, as it may allow threat actors to access and exfiltrate the most sensitive data in a company’s system. It also may give the threat actor the ability to destroy backup systems and security tools designed to detect compromises and plant malware and ransomware unseen. This is exactly what threat actors are doing with Prometheus ransomware [view related post].

Microsoft urged users to patch these zero day vulnerabilities, as threat actors are using the vulnerabilities to launch targeted attacks against users.

In an unusual and exciting twist to the Colonial Pipeline ransomware attack, the Department of Justice (DOJ) announced this week that it was able to retrieve $2.3 million of the $4.4 million paid by Colonial Pipeline to DarkSide by seizing the wallet, and thus “preventing Darkside actors from using it.”

Way to go DOJ and FBI! The DOJ urges companies that fall victim to ransomware attacks to work with law enforcement and continues to discourage the payment of ransoms.

After the attacks on JBS and Colonial Pipeline, the U.S. Treasury Department will likely consider increasing its enforcement of anti-money-laundering laws and adopt new reporting requirements for cryptocurrency transactions.

In ransomware attacks, hackers demand payments after locking victims out of their computer networks; de-anonymizing payments could create a disincentive for these hackers to continue pushing such ransomware extortion schemes. Currently, hackers use digital currencies as a way to avoid regulations within the traditional financial system. If the Treasury Department applies many of the same anti-money-laundering laws to cryptocurrency transactions, it could assist in identifying the cyber criminals (and perhaps lessen the number of attacks).

What would help make these regulations effective? Well, requiring disclosure of who is using the digital wallet and where the crypto-currency ransom is being sent would be a start. Lawmakers may also want to consider oversight of the exchange of cryptocurrencies for other currencies (such as the U.S. dollar). The problem? U.S. regulations of cryptocurrency would not reach overseas, which is often where cyber criminals cash out their funds. Of course, U.S. authorities could use sanctions to prevent exchanges from transacting in U.S. dollars unless all participants agree to utilize a crypto-reporting system.

Of course, this is not the first time that this oversight has been discussed. Late last year, the Treasury Department proposed a rule to require banks and exchanges to report transactions over $10,000 using digital wallets NOT hosted by a financial institution. This is similar to the existing rules for cash withdrawals over that amount. This type of reporting rule would assist law enforcement in tracking money flows for cyber crime.

Crypto exchanges already have to report on customers’ suspicious transactions. The proposed rule would add reporting for when unhosted wallets are involved, regardless of whether the transaction is considered suspicious. Unhosted wallets are similar to anonymous bank accounts.

This proposed rule came after U.S. companies were warned that paying ransoms to hackers could violate U.S. sanctions. That warning encouraged companies to cooperate with law enforcement in order to protect themselves from liability for erroneously paying a ransom to an entity on the sanction list.

A Treasury Department spokeswoman said that the proposed rule for reporting crypto- transactions “is actively moving through the rulemaking process” after receiving thousands of comments in response.

When cyber-attacks on large businesses like JBS and Colonial Pipeline affect consumers’ gas prices and the availability of meat at the grocery store, it likely will lead to increased public scrutiny and a call for action on cryptocurrency and other issues tied to ransomware.

Of course, the underlying issue in these ransomware attacks is the lax (or lack of) security safeguards to protect data housed at these companies that have been (and will be) under attack. Businesses should focus on security and prevention to stop these attacks from happening, and from having to negotiate and pay a ransom at all.

Last week, Diabetes, Endocrinology & Lipidology Center Inc. (DELC) of West Virginia reached a $5,000 settlement with the Office for Civil Rights (OCR) over  allegations that it failed to provide timely access to a patient’s health records.   The OCR alleged that DELC waited more than two years to send a minor’s medical records to their parent, and the records were sent only after the OCR opened an investigation in response to the parent’s complaint. This alleged failure to provide timely access was a violation of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires health care providers to respond to a patient’s request for access to health records within 30 days.

This is the 19th settlement for alleged right-of-access violations.

In addition to the $5,000 payment, DELC has agreed to implement a corrective action plan and submit to two years of monitoring.

Last week, the Eleventh Circuit held that an invasion-of-privacy exclusion in an insured’s policy barred coverage and that Liberty Insurance Underwriters Inc.  did not have to cover the $60.4 million settlement of  a class action against the insured, iCan Benefit Group LLC (iCan), for sending robotexts in alleged violation of the Telephone Consumer Protection Act. The exclusion for claims “arising out of” an invasion of privacy applies because the class claim has a connection with the invasion of privacy. The complaint doesn’t have to allege the common law tort of invasion of privacy to trigger the coverage exclusion.

The class action against iCan alleged that class members suffered “actual harm in the form of annoyance, nuisance, invasion of privacy.” After Liberty denied the request for coverage by iCan, iCan and class plaintiffs settled for $60.4 million and payment of that settlement was “not [to] be satisfied from or executed on any assets or property of iCan, [but] shall only be satisfied from Liberty.”

Ever since the enactment of the Illinois Biometric Information Privacy Act (BIPA), we have been watching the development of laws around the collection, use, disclosure and retention of biometric information. In general, BIPA and other biometric information privacy laws enacted since BIPA, require any company that is collecting biometric information, such as fingerprints, voice recognition, retinal scans or facial scans, to provide notice to individuals from whom they are collecting this information that they are collecting the biometric information, the purpose for which it is being collected and used, to whom they are disclosing it, and how long they are retaining it. The laws usually require companies to put appropriate security measures in place to protect  the biometric information.

Litigation is rampant with BIPA and other biometric information privacy laws. For instance, recently, a fast food chain was sued for using voice recognition technology in its drive-through facilities without providing notice to consumers and obtaining consent.

The reason for these laws is pretty clear—this information is highly sensitive and unique to each person and if it is compromised, it could be significant or even catastrophic for the people whose information is compromised. As I say, we have only one face, one set of fingerprints, a unique voice, and two irises. If a bad actor were to get ahold of this unique information, they could use it for nefarious purposes, including to steal our identity in very significant ways.

These laws, similar to the California Consumer Privacy Act (CCPA), include a private right of action if the company fails to comply with the provisions of the law. This means that if a company does not provide notice of the collection, use, disclosure and retention of the information, or if there is a compromise of the information, individual consumers can directly sue the company for failing to comply with the law and without showing actual harm, damages or consequences. This can lead to costly litigation.

It is hard (but necessary) for a full-time privacy professional like me to keep up with these laws, let alone businesses that are not focused on this area of law. Biometric laws are popping up like drone laws used to pop up back in the day on the state, county, city and municipal level. For instance, the City of New York has enacted a biometric law that becomes effective next month that applies to a “commercial establishment” in New York City, which means “a place of entertainment, a retail store, or a food and drink establishment,” that requires the business to place a “clear and conspicuous sign near all of the commercial establishment’s customer entrances notifying customers in plain, simple language…that customers’ biometric identifier information is being collected, retained, converted, stored or shared, as applicable.” The law further prohibits the sale of biometric information.

The New York City ordinance differs from BIPA and other state laws in that  it (1) does not apply to employees of companies; (2)  does not apply to financial institutions; and (3)  does not apply to governmental entities. The similarity of the statutes however, is that they both contain a private right of action for consumers. The New York City law states that an aggrieved person can sue the company for a violation of the law after first  giving the company thirty days’ notice to cure the violation. This is similar to the private right of action in the CCPA (an individual may seek damages of $500 for each violation, up to $5,000 for each intentional or reckless violation, and receive reasonable attorneys’ fees and costs, expert witness fees, litigation expenses and injunctive relief).

New York City establishments—take note. Other establishments—understand that this is a rapidly developing area of privacy law that is difficult to monitor and may be tricky to comply with on a national, state, and municipal level. If you are collecting any biometric data from employees or consumers, you may wish to consider implementing a biometric information compliance program.

This week, the Federal Aviation Administration (FAA)  announced its Unmanned Aircraft Systems (UAS) Support Center Case Management System (CMS), designed to streamline how industry stakeholders’ questions are answered and provide responses in a more timely manner. This new process will use a Contact Customer Support form that allows the public as well as stakeholders to submit their questions to the FAA and more easily obtain the appropriate answer or information necessary to operate drones safely and in accordance with FAA regulations. Inquiries must include the stakeholder’s name, preferred method of communications, email address, phone number, zip code, and type of UAS so that the Support Center Analysts can more efficiently answer the specific question or concern. This is yet another step towards more widespread integration of drones into the national airspace. For the FAA and stakeholders, ease (and speed) of communication is key to success.

It has been reported by Bloomberg Law that the Colonial Pipeline ransomware attack was caused by a “single compromised password.” The Colonial Pipeline ransomware attack had consumers hoarding gasoline and disrupted distribution of gas along the east coast. One single compromised password.

Colonial Pipeline paid $4.4 million in ransom following the attack, although the Department of Justice (DOJ) was able to recover $2.3 million of that payment  by seizing the crypto wallet used by the attackers. A payment of $4.4 million because of one single compromised password.

What is worse is that the account the password was connected to was not an active account, but could still be used to access the network. I am surmising, but this usually happens when someone leaves the company and the account and access is not terminated. The initial user may have used the password across platforms, the password was compromised and obtained by DarkSide on the dark web, and presto!, they can go into Colonial’s system with the valid password undetected.

We constantly are told how important passwords are. I like to use long passphrases. We are told not to use the same passwords across platforms. We are told not to use passwords that are related to anything we post on social media or online platforms. We are told all of this for a reason. Because one compromised password can cause a gas shortage, a meat shortage, contaminated water, millions of dollars paid in ransom, and disruption to our lives. Do your part and focus on password management for yourself personally, as well as for your employer.