According to a report issued on August 24, 2021, by Unit 42 of Palo Alto Networks Ransomware Groups to Watch: Emerging Threats, four emerging ransomware groups “are currently affecting organizations and show signs of having the potential to become more prevalent in the future.”

The four emerging groups identified by Unit 42 include:

AvosLocker, a Ransomware as a Service that arrived on the scene in June 2021 using a blue beetle logo for communications. According to Unit 42, AvosLocker “has low detection rates and is capable of handling large files,” and operates an extortion site with demands between $50,000 and $75,000. It is actively trying to recruit affiliates.

Hive Ransonware also started operating in June 2021 and “is double-extortion ransomware.” Hive “has already shown notable disregard for its victims’ welfare, attacking organizations including healthcare providers and mid-size organizations ill-equipped for managing a ransomware attack.” Twenty-eight victims have been listed on their leak site.

HelloKitty Linux Edition, a ransomware group that has existed since 2020, usually targets Windows systems, but in July 2021, Unit 42 found that HelloKitty has developed a Linux variant “targeting VBMware’s ESXi hypervisor, which is widely used in cloud and on-premises data centers.”

Lockbit 2.0 (aka ABCD ransomware), another Ransomware as a Service, has launched a marketing campaign to recruit new affiliates and “claims to offer the fastest encryption on the ransomware market,” It has listed 52 victims on its leak site.

Unit 42 confirms what we are seeing: as law enforcement takes the bad guys out of the picture one by one, new threat actors step into the void, and how “old groups can re-emerge and remain persistent threats.”

This week the Federal Communications Commission (FCC) proposed its highest financial penalty against lobbyist and political consultant group, John M. Burkman, Jacob Alexander Wohl, and J.M. Burkman & Associates LLC (the Group), for allegedly making over 1,000 robocalls to voters without obtaining prior express consent as required by the Telephone Consumer Protection Act (TCPA). The FCC has suggested a $5,134,500 penalty for these calls.

The FCC was first made aware of these robocalls in September 2020. According to the FCC, the Group made these calls in August and September of last year explaining to voters that if they vote by mail their “personal information will be part of a public database that will be used by police departments to track down old warrants and be used by credit card companies to collect outstanding debts.”. The FCC also said that the messages did identify Burkman and Wohl by name and listed Burkman’s personal cellphone number as the calling party on the recipients’ caller ID.

In 2019, the TCPA was amended by the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act to not require the FCC to warn robocallers before violations could be counted toward a proposed fine. The action against this Group is the first one that the FCC has taken against an entity in line with that amendment.

The FCC said that by making these pre-recorded calls to voters without the consent of the individuals receiving the call is a TCPA violation regardless of the content of the calls. The Group also faces pending litigation related to the same claims.

Yesterday (August 25, 2021), the Cybersecurity and Infrastructure Security Agency (CISA) issued a fact sheet offering suggestions to government agencies and private companies on how to prevent and respond to a ransomware attack.

The fact sheet, entitled Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches provides organizations with tips to prevent and respond to ransomware. CISA encourages organizations to adopt a heightened state of awareness and implement the recommendations listed in this fact sheet to reduce their risk to ransomware and protect sensitive and personal information. Review StopRansomware.gov for additional resources.”

The fact sheet includes tips such as maintaining an offline, encrypted back-up of data, develop an incident response plan, implement auditing, regular scans and software updates, block phishing attempts, and practice “good cyber hygiene.”

The guidance sets forth some examples of good cyber hygiene, including:

  1. Ensuring antivirus and anti-malware software and signatures are up to date.
  2. Implementing application allowlisting.
  3. Ensuring user and privileged accounts are limited through account use policies, user account control, and privileged account management.
  4. Employing MFA for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems.
  5. Implementing cybersecurity best practices from CISA’s Cyber Essentials and the CISA-MS-ISAC Joint Ransomware Guide.

The fact sheet also offers suggestions on the topics “Protecting Sensitive and Personal Information” and “Responding to Ransomware-Caused Data Breaches.”

Finally, it provides additional resources listed on the StopRansomware.gov website. This is a free and valuable roadmap for organizations to read and consider using to prepare for and respond to a ransomware attack.

As a former Assistant Attorney General, I have a soft place in my heart for Attorneys General as consumer protection advocates. Most state AGs have the primary jurisdiction to enforce compliance with consumer protection laws in their states. Some are more aggressive than others, such as New Mexico Attorney General Hector Balderas, who recently sued Rovio Entertainment, the maker of Angry Birds, alleging that Rovio violated the Children’s Online Privacy Protection Act (COPPA) by collecting data on players under the age of 13 and disclosing it to advertisers.

According to Balderas’s allegations, Rovio monetizes children by collecting data while they are playing Angry Birds and uses the data for targeted advertising, also known as behavioral advertising.

Although the case is in its infancy, it is a reminder to parents, grandparents, and caretakers of children under the age of 13 that there are laws in place that require consent of parents or guardians of minors under the age of 13 for the collection of their data during their online activity. If you are a caretaker for a child under the age of 13, whether you are a parent or otherwise, it is important to keep track of the consents given in the past, or when you give consent for the child to use an online platform, such as a game. The consents are there as protections for children’s information and the use and sale of it. Laws such as COPPA have been enacted by Congress for the protection of children, but if parents and other caretakers are not paying attention and availing themselves of the protection, they may unwittingly fail to protect the child’s data.

Before giving consent for a child to use an online platform that collects, uses, or sells their data, read the online platform’s privacy policy to see what they are doing with the data. Do you agree with how they are sharing your child’s online activity data? Are they selling it?

If you have already given consent and your child uses an online platform frequently, go back and read the privacy policy to see if it has changed or if you still agree with it (or read it for the first time). Talk to your child about online activity and how their information is being collected, used and sold. Educate your child about the consequences of online activity.

Although AGs do their best to protect all of us as consumers, we can’t rely on them alone. We have to take responsibility to protect ourselves and our children from harm, including harm associated with online activity.

There has been a flurry of reporting in the past few days on the T-Mobile customer data compromise, with allegations that the compromise affected up to 100 million customers. The Federal Communications Commission confirmed yesterday that it is investigating the incident. T-Mobile proactively issued a press release on August 17 to clarify and correct the facts.

According to the press release, T-Mobile has “been urgently investigating the highly sophisticated cyberattack” and is now providing details on the attack. The substance is quoted below from the press release:

  • “Late last week we were informed of claims made in an online forum that a bad actor had compromised T-Mobile systems. We immediately began an exhaustive investigation into these claims and brought in world-leading cybersecurity experts to help with our assessment.
  • We then located and immediately closed the access point that we believe was used to illegally gain entry to our servers.
  • Yesterday, we were able to verify that a subset of T-Mobile data had been accessed by unauthorized individuals. We also began coordination with law enforcement as our forensic investigation continued.
  • While our investigation is still underway and we continue to learn additional details, we have now been able to confirm that the data stolen from our systems did include some personal information.
  • We have no indication that the data contained in the stolen files included any customer financial information, credit card information, debit or other payment information.
  • Some of the data accessed did include customers’ first and last names, date of birth, SSN, and driver’s license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers.
  • Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts’ information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile. Importantly, no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers.
  • As a result of this finding, we are taking immediate steps to help protect all of the individuals who may be at risk from this cyberattack. Communications will be issued shortly to customers outlining that T-Mobile is:
    • Immediately offering 2 years of free identity protection services with McAfee’s ID Theft Protection Service.
    • Recommending all T-Mobile postpaid customers proactively change their PIN by going online into their T-Mobile account or calling our Customer Care team by dialing 611 on your phone. This precaution is despite the fact that we have no knowledge that any postpaid account PINs were compromised.
    • Offering an extra step to protect your mobile account with our Account Takeover Protection capabilities for postpaid customers, which makes it harder for customer accounts to be fraudulently ported out and stolen.
    • Publishing a unique web page later on Wednesday for one stop information and solutions to help customers take steps to further protect themselves.
  • At this time, we have also been able to confirm approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were also exposed. We have already proactively reset ALL of the PINs on these accounts to help protect these customers, and we will be notifying accordingly right away. No Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed.
  • We have also confirmed that there was some additional information from inactive prepaid accounts accessed through prepaid billing files. No customer financial information, credit card information, debit or other payment information or SSN was in this inactive file.”

There’s a lot in there, which is why we quoted the press release directly.  It is important to get information directly from the source.

According to T-Mobile, if an individual’s information was included in the compromise, T-Mobile will notify those customers and offer identity theft protection services. However, if you are currently a T-Mobile customer, it is important to follow its recommendations to change your PIN and check out the website they have created to answer questions and provide further recommendations.

Researchers at Heimdal Security have detected a new ransomware dubbed DeepBlueMagic. According to Heimdal, it is particularly concerning because it is able to disable security tools that companies have employed in order to avoid detection. After the security tools are disabled, the ransomware is deployed and encrypts entire hard drives, except for the system drive. DeepBlueMagic uses other tools to make the recovery of the drives impossible.

Ransomware strains continue to pop up at a rapid pace, showing that there will be no abatement to the problem any time soon. The threat actors are creating nasty strains at a feverish pitch and deploying them faster than companies can keep up.

Prevention continues to be the top strategy, including using basic cyber hygiene. We continue to see successful attacks using old tricks against known vulnerabilities, including the lack of multi-factor authentication, VPN vulnerabilities, failure to patch known vulnerabilities, and remote desktop protocol vulnerabilities. It is crucial to stay on top of these vulnerabilities to prevent known and new strains of malware and ransomware like DeepBlueMagic from deployment in your system, and the subsequent chaos and loss it can cause to your business.

This week, a proposed data breach class action against Dickey’s Barbecue Restaurants Inc.  was settled for $2.35 million in the U.S. District Court for the Northern District of Texas with approval of the settlement terms by Judge Ed Kinkeade. Dickey’s is a Dallas-based restaurant chain that allegedly failed to implement appropriate security measures to protect consumer personal information from a breach, and allegedly violated the California Consumer Privacy Act (CCPA) as well, according to plaintiffs’ complaints.

Plaintiff Demi Kostka filed the suit against Dickey’s in November 2020, alleging that the restaurant chain failed to implement adequate data security measures to protect and secure consumers’ credit card information which resulted in a breach of their data.  The suit was later consolidated with similar cases alleging violations of the CCPA and the California Unfair Competition Law.

Eligible California class members will receive about $100 and non-California class members will receive about $50. In addition to the monetary award, the settlement provides reimbursement for class members who suffered certain losses as a result of the security incident; class members may also opt to receive free credit monitoring services.

Blackbaud, which suffered a data breach of its customers’ data in a ransomware attack in 2020, in which it admitted paying the ransom in a double extortion attack [view related posts], is facing multiple class action cases following the attack. The cases have been consolidated in multi-district litigation and now comprise 29 cases.

The federal judge overseeing the cases has refused to dismiss all of the claims that the plaintiffs alleged against Blackbaud, and ruled that Blackbaud must face claims of violation of the California Consumer Privacy Act (CCPA), deceptive and unfair trade practice allegations made by Florida and New York plaintiffs, and a separate claim by a California plaintiff alleging the compromise of medical information.

The judge declared that the plaintiffs had sufficiently alleged that Blackbaud was a “business” as that term is defined in CCPA partly because Blackbaud was a registered data broker in the state of California.

The judge did dismiss several state statutory claims that had been made by the plaintiffs. We will continue to watch this case and Blackbaud’s defenses to the CCPA claims.

Mandiant, a division of FireEye, has reported that it has discovered a vulnerability in a software protocol that enables hackers to gain access to audio and visual data on smart devices including baby monitors and web cameras. The protocol was created  by Taiwanese Internet of Things vendor ThroughTek, and is incorporated in as many as 83 million devices.

According to reports, ThroughTek has confirmed that it has notified customers of the vulnerability and information about mitigating the gap.

According to Mandiant, the threat actor could exploit the vulnerability to communicate directly with devices to plan and deploy subsequent attacks. Mandiant stated that the Department of Homeland Security would be issuing an alert to raise awareness of the issue.

It is difficult as a consumer to stay abreast of vulnerabilities in component parts of products that use other companies’ software. However, the security of the component parts is crucial to the security of the IoT device.

Mandiant suggests that users of IoT devices, including baby monitors, web cameras, home security systems, personal assistants, and basically anything else that uses the Internet, to update their software (also known as patching) as soon as you receive notice. I would add to limit the use of IoT devices and to closely follow the device’s Privacy Policy and updates.

Cryptocurrency platform Poly Network, which allows users to swap different types of digital tokens, was the victim of a cryptoheist that resulted in the thief (allegedly just one hacker) to swipe over $600 million of currency. The incident has been dubbed the largest theft of cryptocurrency to date.

The story reads like the beginning of a novel. After the heist, Poly Network posted a letter on Twitter asking the thief to get in touch with them “to work out a solution.” The thief then posted messages that he would return the funds because he was “not very interested in money.” The next day, Poly Network claimed it had received half of the stolen amount back from the thief, in the form of Ether tokens, Polygon tokens and Binance Coin.

The hacker then posted a three-page Q&A self-interview discussing why he did it. According to reports, the hacker said the heist was meant to showcase the vulnerabilities in the Poly Network software and that users should learn from the hack. The hacker wanted to expose the bug, but not cause a “panic in the crypto-world” which is why the hacker took the important coins but left the Dogecoin. According to the thief, “The pain suffered is temporary, but memorable.”

Cryptocurrency continues to be unregulated, so the bigger story is what would have happened if the cryptocurrency hadn’t been returned.