The FBI and CISA recently issued a Cybersecurity Alert entitled “#StopRansomware: Zeppelin Ransomware” providing an alert to organizations about the proliferation of Zeppelin ransomware attacks and information on the indicators of compromise and techniques to combat them.

According to the Advisory, “From 2019 through at least June 2022, actors have used this malware to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the health care and medical industries. Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.”

The Advisory explains how the ransomware is deployed:

“Zeppelin actors gain access to victim networks via RDP exploitation, exploiting SonicWall firewall vulnerabilities, and phishing campaigns. Prior to deploying Zeppelin ransomware, actors spend one to two weeks mapping or enumerating the victim network to identify data enclaves, including cloud storage and network backups. Zeppelin actors can deploy Zeppelin ransomware as a .dll or .exe file or contained within a PowerShell loader.

“Prior to encryption, Zeppelin actors exfiltrate sensitive company data files to sell or publish in the event the victim refuses to pay the ransom. Once the ransomware is executed, a randomized nine-digit hexadecimal number is appended to each encrypted file as a file extension, e.g., file.txt.txt.C59-E0C-929. A note file with a ransom note is left on compromised systems, frequently on the desktop.”

What is particularly alarming is that the FBI has observed that the attackers execute the malware multiple times in the network, which “ results in the victim needing several unique decryption keys.” The Advisory lists in detail the indicators of compromise, which organizations may wish to review, as well as ways to detect and mitigate the risk of compromise. The Advisory can be accessed here.

A subpoena was issued to Alight Solutions by the U.S. Department of Labor (DOL) for documents related to a cybersecurity breach that potentially resulted in Employee Retirement Income Security Act (ERISA) violations. Alight provides recordkeeping, administrative, and consulting services for over 750 employee benefit plans with more than 20 million plan participants.

The DOL began investigating Alight in 2019 after discovering unauthorized distributions due to security breaches. The DOL stated in its brief to the Seventh Circuit that Alight “failed to disclose those breaches and unauthorized distributions to plan clients for months.” The DOL then began investigating these incidents to determine whether any parties involved in the breaches had violated (or would violate) ERISA (the Employee Retirement Income Security Act of 1974). During the investigation, the DOL issued a subpoena that Alight argued was overly broad and burdensome and that the DOL did not have the authority to issue.

However, the Seventh Circuit ruled that the DOL has broad power to issue subpoenas like this and to investigate non-fiduciaries, even if such entities only service ERISA plans in an administrative capacity. The court agreed with the DOL, stating that the DOL’s authority under the law depends on the information requested and its relation to an actual or potential ERISA violation. Walsh v. Alight Solutions, LLC, No. 21-3290, 2022 WL 3334450 (7th Cir. Aug. 12, 2022).

In the opinion, the court said, “Whether or not Alight is a fiduciary does not affect the department’s investigatory authority [. . .] Even if Alight only has information about another entity’s ERISA violation, the statute grants the department authority to compel its production from Alight. A contrary rule would allow ERISA fiduciaries to avoid liability altogether by outsourcing recordkeeping and administrative functions to nonfiduciary third parties, evading regulatory oversight. Congress did not confine the department’s investigatory power in this manner.”  Furthermore, the court stated that “[a]s the [U.S.] Supreme Court has long recognized,

Congress incorporated into ERISA ‘a standard of loyalty and a standard of care,’” which means that “the reasonableness of Alight’s cybersecurity services, and the extent of any breaches, is therefore relevant to determining whether ERISA has been violated — either by Alight itself or by the employers that outsourced management of their ERISA plans to Alight.”

Alight also argued that in order to comply with the subpoena it would require thousands of hours of work; however, the court was not persuaded by this argument, stating that Alight did not present evidence that compliance was unduly burdensome. The court said that case law supports the notion that “large production requests are not necessarily unduly burdensome,” but that this holding was narrow in that federal “[a]gencies should not read this result as granting leave to issue administrative subpoenas that are overly cumbersome or that seek information not reasonably relevant to the investigation at hand.”

Boise State Public Radio has reported that the Idaho Health Data Exchange (IHDE) filed for Chapter 11 bankruptcy on August 12, 2022. IHDE is a not-for-profit organization that was launched in 2009 to provide access to patient records for 194 different participating treatment providers.

According to the report, IHDE “operates a massive database of Idaho patient medical records.” IHDE is defending itself in litigation from creditors and the filing is designed to allow it to operate while it works through the litigation and pays its creditors. There is no mention in the report about what could happen to the database if IHDE goes out of business. However, IHDE has said that the records belong to the patients and providers. If IHDE goes out of business, determining what to do with the database would be a monumental task.

Hyundai Motor Group announced the launch of Boston Dynamics AI Institute (the Institute), which will work toward making strides in artificial intelligence (AI), robotics, and intelligent machines. The Institute will focus on research related to solutions for the challenges faced in the creation of advanced robots and the need for advanced capabilities and uses. The Institute will combine the university research lab model with the corporate development lab model focused on four technical areas: cognitive AI, athletic AI, organic hardware design, and ethics and policy.

The mission of the Institute is to create robots and intelligent machines that are smarter, more perceptive, and safer than any of the AI technology that exists today. It hopes to build new robots that are more user-friendly, more productive, more versatile (i.e., can perform more tasks), and are safer when working with people. Additionally, while the Institute will develop technology through its own staff, it also will partner with universities and corporate research labs to expand the depth of its research and capabilities. The Institute will be headquartered in Cambridge, Massachusetts, and intends onto engage many new AI and robotics researchers, software and hardware engineers, and technicians at varying levels.

It’s back-to-school time and every parent I know of school-aged children is scouring lists provided by schools to purchase items for their kids’ first day.

It is easy and convenient to purchase these items online, but online shopping poses greater risks of fraud than shopping in retail stores.

Because of that, the Federal Trade Commission has issued a Consumer Alert to help avoid fraud and scams with online shopping. This year, as you are buying those school supplies, if you are buying them online, take a look at the FTC’s tips on how to avoid scams and save money.

We’ve explained smishing schemes before [view related posts]. Smishing is like phishing, but uses SMS texting to deliver malicious code to users’ phones, or tricks the user into visiting a malicious website to steal their credentials or money. Hence, the important tip is to be very wary of texts from unknown individuals urging you to click on links embedded within the text.

Smishing schemes can be sophisticated, which is how Twilio describes the successful smishing attack against it that was discovered on August 4, 2022. According to Wikipedia, Twilio “provides programmable communication tools for making and receiving phone calls, sending and receiving text messages, and performing other communication functions using its web service APIs.” It is ironic that Twilio, a communications platform, was hit with a smishing attack.

According to Twilio,

“On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials. This broad based attack against our employee base succeeded in fooling some employees into providing their credentials. The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data….

“More specifically, current and former employees recently reported receiving text messages purporting to be from our IT department. Typical text bodies suggested that the employee’s passwords had expired, or that their schedule had changed, and that they needed to log in to a URL the attacker controls. The URLs used words including “Twilio,” “Okta,” and “SSO” to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page. The text messages originated from U.S. carrier networks. We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down. Additionally, the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers.”

The data of 125 customers was affected by the attack and Twilio is working directly with those customers.

Just after Twilio announced it had been affected by the smishing incident, Cloudfare publicly announced on August 9, 2022, that it, too. had been targeted by a similar attack. According to its website, Cloudfare “started as a simple application to find the source of email spam. From there it grew into a service that protects websites from all manner of attacks, while simultaneously optimizing performance.”

Cloudfare said it had been targeted by a similar smishing scheme and used the experience to educate others about the incident in its blog post: “The mechanics of a sophisticated phishing scam and how we stopped it.” Cloudfare acknowledged that “around the same time as Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudfare’s employees” and, while some of its employees fell for the messages, it used its own products to stop the attack. Albeit a bit self-serving, the point is that internet service providers (ISPs) and other communication providers were being targeted simultaneously with smishing attacks, which is obviously concerning.

Cloudfare states “This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached. Given that the attacker is targeting multiple organizations, we wanted to share here a rundown of exactly what we saw in order to help other companies recognize and mitigate this attack.” Very helpful Cloudfare, and thank you for sharing details so other organizations can be aware of how the scheme works and put measures in place to prevent a similar attack. This is the value of information sharing. The breakdown of the attack by Cloudfare is excellent, and readers may wish to review it and use it as a tool for educating their users on smishing attacks and why they are often so successful.

ACTS Retirement Services, Inc. (ACTS), a non-profit corporation that manages retirement communities, suffered a data breach in April 2022, which led to unauthorized access to thousands of current and former employees’ personal information. Specifically, names, Social Security numbers, and financial information were effected. As a result of this incident, ACTS now faces a data breach class action suit in which the plaintiffs allege that ACTS failed to implement adequate security systems to protect employee information, which led to the access of their information by cyber criminals. The complaint alleges that the incident will lead to a heightened risk of identity theft and fraud for all affected individuals. Furthermore, the complaint alleges that the credit monitoring and identity theft protection services offered were insufficient to protect the proposed class members.

The lead plaintiff in the action claims that ACTS retains employees’ information for years and “even decades” after they stop working at the business.

This class action may act as a reminder to reassess the data your own company collects, how it is stored, maintained and protected, and to determine your business need and any legal requirements around retention of those data so that you can destroy or delete any data that you no longer need or are required to retain. To view the class action complaint, click here.

A federal court ruled last week in Thaler v. Vidal (4th Cir. Aug. 5, 2022), that an artificial intelligence (AI) system cannot be listed as a named inventor on a patent application, affirming earlier rulings from the United States Patent and Trademark Office (USPTO) and the lower court in the Eastern District of Virginia.

Dr. Richard Thaler brought the case to challenge a USPTO ruling that his patent applications were invalid because he listed his AI system, called DABUS, as the inventor. According to the briefings, Thaler did not contribute to the conception of these inventions, and any person having skill in the art could have taken DABUS’ output and reduced the ideas in the applications to practice, meeting two requirements for US Patent applications.

The Circuit Court concluded that the Patent Act requires an “inventor,” as defined in § 100(f) of the Patent Act, to be a “natural person” and that there was “no ambiguity in the text.” According to the ruling, the statute’s use of the pronouns “his” and “her” indicate that Congress intended patentholders to be human. Thaler has announced his intention to seek further review of the Fourth Circuit’s ruling, with his attorney criticizing the court’s textualist approach to interpreting the Patent Act. The Fourth Circuit picked up and immediately abandoned a more exciting line of reasoning: patent applications require the applicant to certify their belief that they created the work, so an AI system must be capable of forming beliefs to hold a patent. Thaler didn’t offer any evidence that DABUS could do so, but future AI systems might become advanced enough to form beliefs. So, should a self-aware AI be granted legal personhood? The Thaler decision points to no, but this court has hardly given the final word on the issue as AI systems increase in complexity.

This week, the Federal Aviation Administration (FAA) issued a task order contract to the New York UAS Test Site for an unmanned aircraft system (UAS or drone) integration project. The project is designed to assist in the development of a UAS traffic management (UTM) system and to promote the safe operation of high-volume drone operations. This UTM Field Test project (Project) will be overseen by the Northeast UAS Airspace Integration Research Alliance, Inc. (NUAIR), a New York-based nonprofit that manages the operations of the FAA-designated New York UAS Test Site at Griffiss International Airport in Rome, New York. NUAIR led the efforts for New York’s 50-mile UAS Corridor that runs between the cities of Rome and Syracuse. The Project will be conducted in this Corridor and will provide the FAA with information useful to policy development and standards for beyond visual line-of-sight drone operations. Such operations are critical to the advancement and widespread integration of commercial drone operations in the national airspace at low altitudes.

The demand for the operation of drones in low altitude airspace (i.e., below 400 feet) continues to increase, especially after the pandemic, when the desire for at-home and instantaneous delivery grew. The FAA seeks to support these complex drone operations in a safe and efficient manner. Projects like the Field Test will assist in improving UTM and other necessary technologies and systems. The Project went live in July and is set for completion by Spring 2023. In addition to NUAIR’s management of the Project, ANRA Technologies, AX Enterprize, Cal Analytics, Oneida County Sheriff’s Office, Oneida Indian Nation, and OneSky will partner and collaborate as well. Through these industry partners and local government, the UTM infrastructure will be updated so the FAA and the drone community can help build a better ecosystem.

The Twilio and Cloudfare smishing attacks [view related post] provide a timely reminder of how sophisticated smishing attacks are and how they can affect businesses and their customers. But threat actors don’t just attack businesses– they also attack individual users, hoping to trick them into giving the threat actors credentials for access into personal and professional networks or to steal money.

We have pointed out the risk of smishing schemes in the past [view related posts]. Recently, the Federal Trade Commission issued a consumer alert on smishing because it “has seen a spike in reports from people getting text messages that look like they’re from well-known names” including retailers and package delivery companies. The Alert is worth a read and is a timely reminder to be wary of unknown texts.