Microsoft released its monthly patches this week to fix 128 vulnerabilities, including 10 rated as critical, 115 as important, and three flagged as moderately severe. One of the vulnerabilities (CVE-2022-24521 Windows Common Log File System Driver Elevations of Privilege) is being actively exploited by APT groups according to the National Security Agency, so addressing this flaw is a priority for organizations.

According to Microsoft, “Microsoft is aware of an instance of this vulnerability being exploited. As such, customers who have reviewed the security update and determined its applicability with their environment should treat this with the highest priority.”

It is challenging to address hundreds of patches released by manufacturers. Follow the guidance provided by Microsoft and other manufacturers and prioritize those flaws that are known to be actively exploited.

The U.S. Navy will begin testing logistics drones on an aircraft carrier to see if the use of unmanned aerial vehicles (UAV) is practical in this environment. These drones are capable are carrying up to a 50-pound payload and can fly about 200 miles. This testing is in response to the needs of the Military Sealift Command (which controls the replenishment and military transport ships of the Navy) and the Naval Air Forces Atlantic fleet for a faster means of sending critical parts to warships at sea. The testing will be conducted by the Naval Air Warfare Center Aircraft Division and will include up to four UAVs in operation for the testing.

The Navy has determined that about 90 percent of critical mission failures for warships underway can be repaired by sending a payload weighing less than 20 pounds, which can certainly be transported by these UAVs.  For example, if a small radar component were broken, the Navy could use a UAV to transport the part from a larger vessel at sea to the smaller vessel in a short amount of time without having to reschedule a helicopter route.

The goal of this testing is to be able to use UAVs for critical part delivery at a range of 200 miles, putting the parts into the hands of the sailors efficiently and economically. This testing will occur over a two-year period.

Scammers use familiarity to get victims to fall for their scams. One way to do that is to spoof a cell phone number from the same area code to make the targeted person think that the person calling or texting them is someone they know. When the call is answered, it is a recording or there is a long pause, and then the person on the other end starts their spiel about how your car warranty has expired. That’s an obvious scam.

If you receive a call from a familiar area code, but you don’t recognize the number or the caller’s name is not in your contacts, let the call go to voice mail. If the caller knows you and it is a legitimate call, they will leave a message. If the caller is a scammer, they usually won’t leave a message and you can delete the number from your phone.

The same is true for texts. If you don’t recognize the number, be cautious about responding or clicking on any links in the text. Scammers are even known to catch you off guard by calling or texting you from your own number. They are betting on the fact that you will be so surprised to get such a call or text that you will answer, even if it is just out of curiosity. Suppress the urge!

Here are some tips from the FTC should you get a text from your own phone or spam texts.

The Department of State’s new Bureau of Cyberspace and Digital Policy (CDP) commenced operations on April 4, 2022. According to an announcement, the “CDP bureau will address the national security challenges, economic opportunities, and implications for U.S. values associated with cyberspace, digital technologies, and digital policy.”

The bureau consists of three policy units: International Cyberspace Security, International Information and Communications Policy, and Digital Freedom. The CDP will be led by an Ambassador-at-Large, who will be confirmed by the U.S. Senate.

According to the State Department, the CDP “leads and coordinates the Department’s work on cyberspace and digital diplomacy to encourage responsible state behavior in cyberspace and advance policies that protect the integrity and security of the infrastructure of the Internet, serve U.S. interests, promote competitiveness, and uphold democratic values.”

In a win for global law enforcement, Germany’s Bundeskriminalamt (BKA) announced on April 5, 2022, that it had officially taken down the infrastructure of Hydra, a Russian-based, illegal dark-web marketplace that has allegedly facilitated more than $5 billion in Bitcoin transactions since its inception in 2015. In the process of shutting it down, German authorities seized over $25 million in Bitcoin through 88 transaction. According to BKA, it “secured the server infrastructure in Germany of the world’s largest illegal Darknet marketplace ‘Hydra Market.’”

BKA attributed the take down to a collaborative investigation between its Central Office for Combating Cybercrime and U.S. law enforcement authorities since August 2021.

According to BKA, Hydra had 17 million customers and over 19,000 seller accounts registered on its marketplace, and “was probably the illegal marketplace with the highest turnover worldwide.”

Following the takedown in Germany, the U.S. Department of Treasury (Treasury) Office for Foreign Assets Control (OFAC) followed up with sanctions against Hydra, which, according to Secretary of the Treasury, Janet Yellen, sends “a message today to criminals that you cannot hide on the darknet or their forums, and you cannot hide in Russia or anywhere else in the world.”

Treasury’s release states, “Countering ransomware is a top priority of the Administration. Today’s action supports the Administration’s counter-ransomware lines of effort to disrupt ransomware infrastructure and actors in close coordination with international partners” and calls out Russia as “a haven for cybercriminals.”

Therefore, Hydra was designated by OFAC “for being responsible for or complicit in, or having engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.”

Treasury further sanctioned virtual currency exchange Garantex, which is in Estonia but operating in Moscow and St. Petersburg, Russia. According to Treasury, more than $100 million in transactions over the exchange were associated with “illicit actors and darknet markets,” including Conti and Hydra.

Therefore, Treasury designated Garantex “for operating or having operated in the financial services sector of the Russian Federation economy” which “reinforces OFAC’s recent public guidance to further cut off avenues for potential sanctions evasion by Russia, in support of the G7 leaders’ commitment to maintain the effectiveness of economic measures.”

These actions by the Department of the Treasury send a strong message to cybercriminals that sanctions related to the war in Ukraine are rapidly spurring additional scrutiny and action by law enforcement against anyone associated with Putin or Russia.

For more on what these sanctions mean for U.S. individuals and businesses, click here.

Plaintiffs filed suit in the District Court for the District of Delaware against Shopify Inc. and TaskUs Inc., alleging that the companies failed to implement measures to prevent a data breach that resulted in a breach of their personal information and cryptocurrency portfolios.

The breach occurred in 2020 and affected Leger SAS cryptocurrency hardware wallets, which had contracted with third-party vendors Shopify and TaskUs to process its customers’ personal information. The breach affected 272,000 individuals’ names, email addresses, postal addresses, and phone numbers.

The complaint alleges that the affected personal information was published online. It was also alleged that some individuals were faced with physical violence or blackmail threats if they did not transfer their crypto assets to the cybercriminals, which led to millions of dollars in cryptocurrency stolen.

The complaint includes allegations of negligence, unjust enrichment, violations of Florida’s Deceptive and Unfair Trade Practices Act, violations of the North Carolina Unfair and Deceptive Trade Practices Act, violations of the Arizona Consumer Fraud Act, and violations of the Kentucky Consumer Protection Act.

Furthermore, the complaint alleges that phishing attempts were made by hackers posing as Ledger support team members and asking Ledger customers to download a fake version of the Ledger Live software.

Plaintiffs are seeking injunctive relief requiring Shopify and TaskUs to implement security safeguards to protect consumers’ personal information as well as direct damages, punitive damages, compensatory damages, statutory damages, and attorneys’ fees and costs.

Last week, Judge Linda Lopez of the U.S. District Court for the Southern District of California dismissed the class action lawsuit against Netgain Technology due to the lack of personal jurisdiction over the business. The class action lawsuit, Lee v. NetGain Technology, LLC, resulted from a 2020 data breach that affected personal and medical information of patients at Caresouth Carolina, a community health center. Netgain Tech was the cloud-hosting service for Caresouth and many other health care and accounting organizations.

The problem: the lead plaintiff, Gerald Lee, resides in South Carolina; Netgain Tech is a Minnesota-based company. Judge Lopez held that the Southern District of California was not the appropriate forum. Lee argued that Netgain conducts a substantial portion of its business in California, has an office and employees in California, and advertises and provides services to California residents.

Judge Lopez also held that the complaint centers around Netgain’s failure to secure Caresouth patients’ information, which has nothing to do with Netgain’s operations in San Diego. Further, in order to demonstrate that the claims arose out of forum-related activities, Lee would need to show that he would not have suffered an injury without the conduct in San Diego.

Judge Lopez also rejected the motion for jurisdictional discovery (to establish that the San Diego location was at least partially responsible for the data breach), stating that Lee had no evidence to support that theory. Netgain Tech prevails for now.

This week we learned that the email and social media marketing company Mailchimp suffered a data breach that allowed an intruder to view 319 Mailchimp accounts. According to multiple sources, audience data were accessed from 102 of those accounts.

It was reported that the threat actor was able to breach Mailchimp’s systems through social engineering on Mailchimp’s employees. A company spokesperson indicated that the attack was targeted to users in “industries related to cryptocurrency and finance.” It was also reported that the threat actor was using information from the hacked accounts to send out phishing emails.

This data breach underscores for companies how important it is to conduct regular employee training that warns users not to click on suspicious links in emails and, for individuals, to implement multi-factor authentication for access to critical financial accounts.

On April 5, 2022, the U.S. Department of Treasury Office of Foreign Assets Control (OFAC) sanctioned darkweb Hydra Marketplace and virtual currency Garantex and added both to the Specially Designated Nationals List (SDN) [view related post].

On October 1, 2020, OFAC issued a Ransomware Advisory “to alert companies that engage with victims of ransomware attacks of the potential sanctions risks for facilitating ransomware payments.”

OFAC specifically designates “malicious cyber actors and those who facilitate ransomware transactions under its cyber-related sanctions program.” Understanding and adhering to the Advisory is very important for companies that are victims of ransomware attacks if they are considering paying a ransom.

OFAC updates the cyber-related designations, which can be accessed on the Department of the Treasury’s website, as it did on April 5, 2022 with Garantex and Hydra.

When adding Garantex to the designation list and to help prevent fraud, OFAC also listed over 100 digital currency addresses associated with SDN Hydra Marketplace and used to conduct “illicit transactions” so those involved in digital currency are aware that the addresses are illicit.

OFAC explains the implications of U.S. persons transacting any business with sanctioned individuals or entities in its announcement of the sanctions against Hydra and Garantex:

All transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons are prohibited unless authorized by a general or specific license issued by OFAC, or exempt. These prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person and the receipt of any contribution or provision of funds, goods, or services from any such person.

OFAC has also issued Sanctions Compliance Guidance for the Virtual Currency Industry to assist compliance professionals on how to navigate this space.

We expect to see more activity in cyber designations while the U.S. continues to ramp up sanctions against Russia and its leadership.

U.S. District Judge Robert Pitman struck down a Texas drone law (one of the most restrictive in the U.S.), for violating the First Amendment’s protections of freedom of speech and the press. While there have been other cases in which the court has struck down similar laws in municipalities, this is the first time that a state law regulating drone operations has been struck down as unconstitutional.

The law, Chapter 423 of the Texas Government Code, was challenged by the National Press Photographers Association (NPPA), the Texas Press Association (TPA), and three Texas-based photojournalists. The parties argued that the law improperly prohibited the use of drones to collect images used for newsgathering purposes. While Chapter 423 does include exceptions to these restrictions (e.g., surveying, real estate work, and academic research), there is no exception for news reporting. The purpose of the law was to restrict the use of drones to collect images of private property or to use drones for surveillance.

Therefore, Judge Pitman ruled that Chapter 423 was unconstitutional and could not be enforced by any government or police entity, saying this was a content-based restriction, which is impermissible under the First Amendment.

Judge Pitman also took issue with the ”no-fly” provisions of Chapter 423. The law also prohibits drones from flying over a correctional facility, detention facility, critical infrastructure facility or sports venue at lower than 400 feet and imposes criminal sanctions. Critical infrastructure is defined to include oil and gas pipelines, petroleum and alumina refineries, water treatment facilities, and natural gas fractionation and chemical manufacturing plants, as well as animal-feeding operations, oil and gas drilling sites, and chemical production facilities, among others. Sports venues include any arena, stadium, automobile racetrack, coliseum, or any other facility that has seating capacity of more than 30,000 people and is “primarily used” for one or more professional or amateur sport or athletics events. The plaintiffs argued that these ”no-fly” restrictions, when combined with the Federal Aviation Administration’s drone regulations (which require drones to fly at 400 feet or lower), effectively ban the use of drones at these locations even if, for example, a stadium requests that coverage of a sporting event be photographed or videographed using a drone.

This ruling will likely affect rulings in other states in which there are constitutional challenges to laws restricting drone use. To read Judge Pitman’s ruling, click here.