Since the Colonial Pipeline and JBS meat manufacturing security incidents, attention is finally being paid to the cybersecurity vulnerabilities of critical infrastructure in the U.S. and in particular, the potential effect on day to day life and national security if large and significant manufacturers’ production are disrupted. In the wake of these recent incidents in the manufacturing sector, Unit 42 of Palo Alto Networks has published research that may be considered a warning to the manufacturing sector and is worth notice. The warning is about the activities of Prometheus, “a new player in the ransomware world that uses similar malware and tactics to ransomware veteran Thanos.”

According to the Executive Summary, Unit 42 “has spent the past four months following the activities of Prometheus” which “leverages double-extortion tactics and hosts a leak site, where it names new victims and posts stolen data available for purchase.” Prometheus claims to be part of REvil, but Unit 42 says it has “seen no indication that these two ransomware groups are related in any way.” Unit 42 further states that Prometheus claims to have victimized 30 organizations in different industries, in more than a dozen countries, including the U.S.

Prometheus came on the scene in February 2021 as a new variant of the strain Thanos. Unit 42 is unable to provide information on how the Prometheus ransomware is being delivered, but surmise that it is through typical means, such as “buying access to certain networks, brute-forcing credentials or spear phishing for initial access.” It then first kills backups and security processes and enables the encryption process. It then “drops two ransom notes” that contain the same information about the fact that the network has been hacked and important files encrypted and instructions of how to recover them. If the ransom demand is not met, the data will be published on a shaming site and publishes the “leak status” of each victim. According to Unit 42 “[M]anufacturing was the most impacted industry among the victim organizations we observed, closely followed by the transportation and logistics industry.”

What we have seen in the past is that when ransomware groups are successful in one industry, they use the information learned from initial attacks to target other companies in that sector. They leverage the knowledge from one attack to future attacks assuming that since the first one was successful, subsequent attacks will be successful as well. Since industry specific networks are similar, it is seamless to attack one victim, learn from it, then leverage that knowledge to attack similarly situated victims.

With threat attackers’ focus on the manufacturing sector right now, we anticipate seeing more attacks against manufacturers from groups such as Prometheus.

The City of Tulsa, Oklahoma, announced on May 9, 2021, that it had been hit with a ransomware attack, but the Mayor is resolute in not paying the demanded ransom. Although “all of our computer systems—with a few exceptions—are down right now,” the Mayor has stated that he will “not pay a nickel” to the attackers.

Although emergency services like fire, rescue and police are fully functional, unfortunately, the attack has caused serious disruption to the city, including the police department, which is unable to offload data from body cameras. In addition, residents are unable to pay some bills, such as water bills. While the city is restoring the system, residents will get a brief hiatus from paying bills where systems have been disrupted until five days after systems are restored.

Although IT staff are working around the clock, the Mayor said the systems will be restored in phases, and some systems may not be fully restored within a month.

Colonial Pipeline was hit with a proposed class action suit this week by a resident of North Carolina who alleges that he had to purchase gasoline at inflated prices due to the “unlawfully deficient data security” of Colonial, which allowed a ransomware attack to shut a pipeline down.

According to allegations in the suit, the cyber attack was “catastrophic” to consumers and the attack injured millions of individuals with gas shortages and higher prices. The suit alleges that the pipeline management should have foreseen a cyber-attack as attacks against critical infrastructure are a known risk.

The Complaint alleges negligence and seeks a declaratory judgment, monetary damages, punitive damages, restitution, and disgorgement of revenue.

The Office for Civil Rights (OCR) this week announced a settlement with Peachstate Health Management LLC (aka AEON Clinical Laboratories) following a compliance review that uncovered alleged violations of HIPAA.

The settlement includes a $25,000 payment to OCR by Peachstate, a corrective action plan, and three years of monitoring by OCR.

OCR initiated a compliance review of Peachstate in December 2017 to determine its compliance with HIPAA following a report of a data breach by the U.S. Department of Veterans Affairs.  The notification alleged that the data breach was caused by the VA’s vendor, which was subsequently acquired by Peachstate.

According to OCR’s press release, “OCR’s investigation found systemic noncompliance with the HIPAA Security Rule, including failures to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedures.”

OCR further stated, “This settlement reiterates OCR’s commitment to ensuring compliance with rules that protect the privacy and security of protected health information.”

The Defense Innovation Unit, the Silicon Valley outpost of the Department of Defense (DOD), is seeking commercial algorithms to help build an automated network of military drones to accomplish complex tasks using artificial intelligence (AI). The Unit is requesting algorithms specific to networking and decision-making (rather than computer vision or autopilot systems) to help the DOD accomplish its goal of a connected platform of drones working together. The solicitation states, “While these algorithms extend to a variety of use cases, this specific prototype evaluation will be focused on coordinating long-range, high-speed, fixed-wing aerial platforms operating in contested environments.”

The solicitation program will be structured as a series of prototype events in which those selected will deploy their algorithms in an unclassified, live, virtual-constructive development environment.

This is yet another step forward in the DOD’s ongoing plan to develop autonomous systems to carry out its operations. At present, the DOD’s drones are piloted by service members, but the goal is to utilize these algorithms to determine how a pack of drones should react as opposed to the individual service member on a joystick or software.

To view the solicitation and project description, click here.

When I conduct employee education sessions on data privacy and cybersecurity, I am often surprised that employees are unaware that their employers are legally able to monitor their use of company assets, and that employers are indeed doing just that. Although some might find this creepy, if an employee is using an employer’s laptop, network or other technology, it is well known that monitoring is being done and is allowed. I tell employees that some employers are monitoring if they are sending things to their personal email account, and that they might get a call from IT or management if they send things to their personal account. Invariably, eyebrows shoot up.

An interesting survey by ExpressVPN was released recently that highlights the gap between employers’ monitoring of employees’ use of company assets and how it is affecting employer-employee relations. Although I could infer these result anecdotally, the survey is quite revealing and is worth a read, especially if you are a human resources manager.

The survey found that especially during the pandemic and with a remote workforce, “bosses are uneasy about remote workers’ productivity.” This makes sense to me, because it is difficult to monitor employees’ productivity when they aren’t in the office. A whopping 74 percent of bosses say that “remote work makes them feel a lack of control over their business,” while 69 percent say they “feel uneasy about remote work because they can’t observe employees in person.” Even more disturbing is that 57 percent of bosses “don’t trust their employees to work without in-person supervision” and 59 percent say that “don’t trust their employees to work without digital supervision.”

The survey shows that surveillance of employees has been “rapidly increasing in recent months,” 78 percent of the companies surveyed reporting they are using monitoring software to track employee performance and/or online activity, and 90 percent of those companies surveyed saying they are actively tracking time spent by their employees doing work or other activities unrelated to work (like online shopping, for instance). Forty-six percent of those surveyed have terminated an employee based on remote monitoring.

On the other hand, employees are quite uneducated about the fact that they are being monitored or how. Only 53 percent of employees are aware that their employer is monitoring their communication and online activities, and one in six were completely unaware that it was even possible for employers to monitor their communication and online activities.

Uh oh—one in three employees report that they have “used their work computer for purposes that they’d find embarrassing should their employer find out” including chats and messages, google searches, visiting job application websites, and “visiting inappropriate sites.”

Employers believe that monitoring is a way to keep work productivity and quality high, while the monitoring makes employees feel “stressed, unappreciated, and resentful.”

The bottom line is that more and more employers are implementing monitoring software, and some may not inform their employees that they are being monitored. Some employees feel so strongly about it that a majority say they would quit their job if their employers started monitoring them.

The survey results are fascinating and insightful for both employers and employees. Employers need to be able to evaluate employees’ work productivity and quality, and with a remote workforce, it is harder than ever to complete that evaluation.

On the other hand, employees need to be treated as professionals and with respect, but also need to understand the challenges employers are facing with a remote workforce and having to contro the quality and volume of work being performed by employees.

Sounds like a town hall in the making—even if it is over Zoom or Teams—which, of course, can be monitored!

Colonial Pipeline paid hackers a ransom of $4.4 million in bitcoin soon after discovering a cybersecurity hack on its systems that began on May 6.  The company’s acknowledgement comes after days of speculation about whether a ransom was paid to the hackers.  The company’s CEO defended the “difficult” decision to pay the ransom, maintaining he was trying to avoid widespread fuel shortages for the East Coast. Even with the ransom payment, Colonial’s pipeline was shut down  for days, resulting in price spikes and shortages at gasoline stations in the Southeastern U.S. In addition to the ransom payment, Colonial also revealed it would be spending tens of millions of dollars over the next several months to restore its systems.

Meanwhile, the hacker, identified by the FBI as Darkside, a group out of Eastern Europe, lost access to its IT infrastructure and cryptocurrency funds.  Many believe that law enforcement seized the group’s assets, given that it occurred on the same day President Biden announced the U.S. would “pursue a measure to disrupt” Darkside.

There are no mandatory federal cybersecurity requirements for U.S. critical infrastructure, including the energy sector. To date, federal government agencies have issued cybersecurity guidelines for the energy sector, but since most operations are privately owned, they are not obligated to follow them.  President Biden is trying to provide funding to harden security systems in U.S. critical infrastructure.  His proposed American Jobs Plan includes $20 billion for cities and towns to strengthen energy cybersecurity and $2 billion in grants for energy grids in high-risk areas. In the interim, Biden’s recently issued Executive Order on Improving the Nation’s Cybersecurity controls how security incidents are managed and how hardware and software is used by federal government agencies. For vendors and developers who want to do business with the federal government, this means focusing on improving product security in order to win new contracts from a very large customer.

If you have been following Verizon’s annual data breach investigation reports like I have over the years, you get excited when the new one comes out. If you have never read the report, now’s your chance, as the 2021 report was just released.

Although chock-full of information, the Verizon Data Breach Investigations Report (DBIR) is always written in an understandable way, and provides important information to help stay current on threat actors’ schemes and scams so the information can be shared with employees to prevent them from becoming a victim.

This year’s DBIR is 119 pages long, so take your time. It defines words in an accurate way (like “incident” and “breach,” which I appreciate), and outlines the conclusions in an organized manner.

Here is a brief summary of important considerations for cyber risk management strategy:

  • Social engineering is the most successful attack
  • The top hacking vector in breaches is web application servers
  • Denial of service is the most frequent way incidents occur
  • 85 percent of breaches involved a human element
  • Financially-motivated attacks are the most common
  • Organized crime continues to be the number one attacker
  • External cloud assets were compromised more than on-premises assets
  • Older vulnerabilities that haven’t been patched are being exploited by attackers
  • Credentials remains one of the most sought-after data types, followed by personal information
  • Employees continue to make mistakes that cause incidents and breaches
  • Devices continue to be lost or stolen
  • Privileges are misused
  • Business Email Compromises were the second most common form of social engineering
  • The majority of social engineering incidents were discovered externally

In addition, phishing continues to be one of the top causes of data breaches, followed by use of stolen credentials and ransomware, with the notable change in the past year of how threat actors “will first exfiltrate the data they encrypt so that they can threaten to reveal it publicly if the victim does not pay the ransom. We are not sure if this breach double-dipping is permitted in the Threat Actor Code of Conduct, but there has been no evidence that they have one anyway.”

The DBIR discusses the importance of building a culture of cybersecurity vigilance, the difficulties of patching, the new complexities of attacks, which involve numerous steps, and web application attacks.

I will be spending more time with the DBIR as it is hefty reading, but it is well worth the time and energy to stay current on cyber risks and patterns.

Lifespace Communities Inc. (Lifespace), a retirement community chain with more than 15 communities in eight states, recently settled a class action for $987,850 for its alleged violation of the Illinois Biometric Information Privacy Act (BIPA).

The class action was filed in June 2020 in the U.S. District Court for the Northern District of Illinois by Sabrina Bedford, a former nursing assistant at one of Lifespace’s Illinois communities. Bedford alleged that Lifespace violated BIPA requirements by unlawfully requiring employees to scan their fingerprints to track their work hours without obtaining prior informed consent from employees, disclosing its data-collection practices or its retention policy, or informing employees that Lifespace shares their information with third parties.

In the final approval order, Judge Manish Shah approved the proposed settlement amount, which includes a $10,000 incentive award to Bedford and $330,000 in attorneys’ fees. Additionally, settlement class members are expected to receive approximately $1,150 each.

This is yet another example of consumers pushing for transparency and privacy of their personal information. If biometric data collection is necessary for your operations and your company is collecting biometric data (even outside of Illinois and the reach of BIPA), be aware of the risks associated with this type of data collection and seek guidance on appropriate privacy and security measures and safeguards.

Robocalls continue to be irritating and their increased frequency is distracting and exhausting, at least in my experience. We can usually spot them when our caller ID says “potential spam” or if we don’t recognize the number, but robocallers are getting more sophisticated, just like other scammers.

A frequent and increased scam is one alleging that your car warranty is expiring and that you need to renew it. The messages sound legitimate, but they are not. It has become such a problem that the Federal Trade Commission (FTC) issued a warning this week advising that you hang up when you receive an auto warranty call.

According to the FTC, “This is an illegal robocall and likely a scam. The companies behind this type of robocall are not with your car dealer or manufacturer, and the ‘extended warranty’ they’re trying to sell you is actually a service contract that often sells for hundreds or thousands of dollars.”

I was raised not to hang up on anyone, but following the FTC’s advice to hang up on auto warranty robocalls seems like a good exception.

If you have seniors in your life who could become a victim of this type of scam, let them know so they, too, can follow the FTC’s advice.