Another example of the resiliency and creativity of cyber-attackers is outlined in a new blog by Cisco/Talos researchers, which outlines how, over the past year, and in particular as a result of the migration from work at the office to work from home during the pandemic, cyber-attackers are using collaboration platforms like Slack and Discord to distribute malware to unsuspecting victims.

According to the blog:

  • As telework has become the norm throughout the COVID-19 pandemic, attackers are modifying their tactics to take advantage of the changes to employee workflows.
  • Attackers are leveraging collaboration platforms, such as Discord and Slack, to stay under the radar and evade organizational defenses.
  • Collaboration platforms enable adversaries to conduct campaigns using legitimate infrastructure that might not be blocked in many network environments.
  • Remote Access Trojans (RATs), information stealers, internet-of-things malware and other threats are leveraging collaboration platforms for delivery, component retrieval and command and control communications.

In sum, the collaboration rooms and platforms are being used to “spread traditional malspam lures used to infect victims.” They are using the platforms to “circumvent perimeter security controls and maximize infection capabilities.” They are being used during three phases of malware attacks, including delivery, component retrieval, and C2 and data exfiltration. They are also being used for social engineering campaigns.

If your organization is using collaboration platforms, it is important to let your IT professionals and employees know about the malicious use of these platforms so they can use good cyber- hygiene to avoid causing an incident in the same way as a phishing or social engineering scheme. The same tools that they use to identify malicious emails or texts should be used with these collaboration platforms. Providing education on these schemes and uses of legitimate business platforms is the first defense to preventing an incident.

Two more state governors, those of Maine and North Dakota, have signed bills into law that adopt the National Association of Insurance Commissioners (NAIC) data security model law (Model Law). Maine and North Dakota join several other states that have already passed similar laws. Hawaii, Idaho, Illinois, Iowa, Minnesota, Rhode Island, and Wisconsin have similar bills pending.

What is the NAIC Model Law and to Whom Does it Apply?

According to the NAIC, the Model Law “seeks to establish standards for regulators and insurers in order to mitigate the potential damage of a data breach. The law applies to insurers, insurance agents and other entities licensed by the state department of insurance.”

What Does the Model Law Require?

The Model Law requires insurers and regulated entities licensed by state insurance departments to develop, implement, and maintain an information security program based on its risk assessment, with a designated employee in charge of the information security program. The Model Law also requires licensees to investigate a cybersecurity event and notify the state insurance commissioner. Licensees are required to implement an incident response plan.

Both the Maine and the North Dakota laws will not take effect right away. Maine’s Model Law is effective January 1, 2022, with one section regarding compliance with third-party service provider arrangements effective January 1, 2023. The North Dakota law takes effect on August 1, 2022, with one section regarding the obligation to document and report cybersecurity events and related incident response activities effective August 1, 2023.

North American IT company Presidio faces a proposed data breach class action by an employee for an incident involving employee data. Eric LaPrairie, a former Presidio employee, received a notice of a data breach from Presidio, and about a month later found out that he was the victim of a SIM swap (a technique in which a hacker uses personal information to swap someone’s telephone number onto a new phone). After the SIM swap, LaPrairie claims the hacker was able to reset some of LaPrairie’s online passwords and attempted to gain access to his bank accounts and other accounts storing personal documents.

LaPrairie claims that he spent between 15-20 hours working with his mobile carrier to correct the problem and updating his online account security.

On March 5, 2020, a hacker accessed Presidio’s servers and the personal information of 3,324 current or former employees, including their names, Social Security numbers, employment information, and tax information. The affected employees received notices about the breach in April 2020. Presidio offered either 12 or 24 months of credit monitoring services to all individuals who were affected.

LaPrairie seeks to represent a nationwide class of all current and former employees in a data breach class action and claims negligence, breach of contract, unjust enrichment, and violations of several state laws. LaPrairie is seeking damages, attorneys’ fees, and costs, and for a requirement that Presidio bolster its security measures.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) recently released a free tool that will assist organizations with identifying indicators of compromise following threat activity in Microsoft 365 and Azure Environments.

The new CISA Hunt and Incident Response Program (CHIRP) tool, “is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs)”  associated with the activity CISA had earlier highlighted in  previous Alerts outlining the Sparrow program.

Like the Sparrow program before it, CHIRP is designed to identify IOCs within an on-premises environment and scans only Windows operating systems. To avail yourself of the free tool, you can obtain it by accessing CISA’s GitHub repository.  It is available in either a compiled executable or a python script.

For the past few years, the main mechanism used by the U.S. against China in the U.S.-Chinese tech war has been Executive Orders limiting (or even banning) certain software and drones manufactured and/or owned by Chinese companies from use by government agencies. Now, instead of only playing defense against Chinese technology, Senators Chuck Schumer (D-NY)  and Todd Young (R-IN) have teamed up to support the Endless Frontier Act (Act). Originally introduced in 2020, S. 3832 will be revamped and made a keystone of this new Act.

The bipartisan group in Congress seeks to invest in U.S. education, science, and technology as well as research and development. This Act would invest $100 billion in these areas over a five-year period. The Act, as originally submitted, would rename the National Science Foundation as the National Science and Technology Foundation, and establish two Deputy Directors, one for Science and one for Technology.

The Deputy Director of Technology would oversee a newly created Directorate for Technology whose  goals include:

  • Creation of stronger leadership in critical technologies through research in key technology focus areas;
  • Improving education in key technology focus areas and making it more attractive for students to become involved in those areas;
  • Increasing federally-funded research and development to achieve national goals related to economic competitiveness, domestic manufacturing, national security, shared prosperity, energy and the environment, health, education and workforce development, and transportation

The ten key focus areas would be:

  • Artificial intelligence and machine learning (AIML);
  • High performance computing, semiconductors, and advanced computer hardware;
  • Quantum computing and information systems;
  • Robotics, automation, and advanced manufacturing;
  • Natural or anthropogenic disaster prevention;
  • Advanced communications technology;
  • Biotechnology, genomics, and synthetic biology;
  • Cybersecurity, data storage, and data management technologies;
  • Advanced energy; and,
  • Materials science, engineering, and relevant exploration relevant

For the drone industry this is great news. The Act would increase scholarships, fellowships and other student support in areas including AIML, automation, robotics and advanced manufacturing, which are all important to autonomous flight. However, the fate of the Endless Frontier Act is still unknown. We will follow its path through Congress and see if it may pave the way for more legislation like it.

Many individuals already use facial recognition technology to authenticate and authorize payment through their smartphone. According to Jupiter Research, by 2025 (only four years away), 95 percent of smartphones will have biometric technology capabilities for authentication, including face, fingerprint, iris, and voice recognition. According to Juniper Research, this will amount to the authentication of over $3 trillion in payment transactions on a yearly basis.

Technology vendors are starting to use biometric information more and more to provide services to consumers. For instance, Spotify recently released its “Hey Spotify” feature for its app. If you use Spotify, and the new feature is rolled out to your device, you will see a pop-up with a big green button at the bottom that reads, “Turn on Hey Spotify” and a very small link in white that reads, “Maybe later.” Above the big green button in white is text that reads, “LEARN HOW WE USE VOICE DATA” and “When we hear ‘Hey Spotify’ your voice input and other information will be sent to Spotify.”

The big green button is very noticeable and the white text less so, but when you click on the “LEARN HOW” button, you are sent to a link that reads, “When you use voice features, your voice input and other information will be sent to Spotify.” Hmmm. What other information?

It continues, “This includes audio recording and transcripts of what you say, and other related information such as the content that was returned to you by Spotify.” This means that your biometric information–your voice–and what you actually say to Hey Spotify is collected by Spotify. Spoiler alert: you only have one voice and you are giving it to an app that is collecting it and sharing it with others, including unknown third parties.

The Spotify terms then explain that it will use your voice, audio recordings, transcripts and the other information that is collected “to help us provide you with advertising that is more relevant to you. It also includes sharing information, from time to time, with our service providers, such as cloud storage providers.”  It then explains that you can “interact with advertisements on Spotify using your voice. During a voice-enabled ad, you will hear a voice prompt followed by an audible tone.” Of course, you should know that your response will then be recorded,  collected, and shared.

In response to the question “Is Spotify recording all of my conversations?,” the terms state that “Spotify listens in short snippets of a few seconds which are deleted if the wake-word is not detected.” That means that it is listening frequently until you say, “Hey Spotify.” It doesn’t say how often the short snippets occur.

Consumers can turn off the voice controls and voice ads by disabling their microphone. This is true for all apps that include access to the microphone, which is why it is important to frequently look at your privacy settings and see which apps have access to your microphone and to manage that capability (along with all of the apps in your privacy settings).

It is important to know which apps have access to your biometric information and who they share it with, as you cannot manage that biometric information once you give it away. You don’t know how they are really using it, or how they are storing, securing, disclosing, or retaining it. Think about your Social Security number and how many times you have received a breach notification letter. You can try to protect your credit and your identity with credit monitoring and credit freezes, but you can’t use those tools for the disclosure of your biometric information to scammers and fraudsters.

Your voice can be used for fraudulent purposes. It can be used for authentication to get into accounts, and for vishing (see blog post on vishing here).  Your voice is unique and sharing it with apps or others without knowing how it is secured is something worth considering. If the information is not secured and is subject to a security incident, it gives criminals another very potent tool to commit fraud against you and others.

Before providing your biometric information to any app, or anyone else for that matter, read the Privacy Policy and Terms of Use and understand what you are giving away merely for the convenience of using the app.

I once drove over the Golden Gate Bridge in a rental car, not knowing that it was a toll bridge and that no cash payment options were available. I slowly and stressfully tried to figure out what to do, but realized I had no option but to drive through without paying. It was an awful feeling, but then I saw a sign that said if you didn’t pay the toll, you would be billed for it. I felt better already. Then I saw what the rental company charged on my credit card for the toll: $75.00. Ouch. I wondered how the entity collecting the tolls knew I was in a rental car, and it became obvious to me that there were cameras logging the license plate numbers as vehicles passed through the open toll booths to identify those vehicles and owners who did not pay the toll. I paid the exorbitant bill and learned a valuable lesson.

In that same vein, drivers in Orange County, California filed suit against The Transportation Corridor Agencies, doing business as The Toll Roads (and others) in litigation entitled In Re Toll Roads Litigation, alleging that their license plate information was taken at toll booths and then shared illegally, along with other personally identifiable information, with third-party collection agencies, which caused the plaintiffs to incur damages. Plaintiffs alleged that the failure to pay one toll resulted in thousands of dollars in penalties, liens and repossessions of cars, and damaged credit. One plaintiff alleged that toll fees of approximately $3,500 ended up totaling $55,000 after adding toll evasion penalty fees.

According to the Complaint, “The conversion to a cashless system was deceptively and negligently designed and implemented by defendants to cause a radical increase in violations (and thus revenue) for defendants…Defendants have exploited the statutory scheme under which the toll roads were authorized in California…” Plaintiffs allege that their drivers’ license numbers and other personal information was illegally disclosed to third parties, including collection agencies.

Although the litigation has been pending for years, it appears that a settlement has been agreed to this week (subject to the District Court’s approval) that provides $1 million to be distributed to eligible class members, and forgiveness of up to $40 million in penalties for some eligible members. Approximately 140,000 drivers still owe tolls and penalties and their penalties will be reduced to $100 per violation. Further, it is being reported that part of the settlement includes an agreement by the defendants not to provide personally identifiable information to third-party debt collectors.

Since this is a common practice for tolls, there is no doubt that we will see more class action cases involving this practice in the future.

The Federal Bureau of Investigations (FBI) recently issued a joint alert with the Department of Homeland Security/Cybersecurity Infrastructure and Security Agency (CISA) that “Mamba ransomware has been deployed against local governments, public transportation agencies, legal services, technology services, industrial, commercial, manufacturing, and construction businesses.”

According to the Alert, the hacking group behind the Mamba ransomware attacks is weaponizing an open source tool used for disc encryption—DiskCryptor—to encrypt entire operating systems of victims. Once the operating system has been encrypted, a ransom note appears and demands payment for the decryption key.

The Alert states, “[T]he ransomware program consists of the open source, off-the-shelf, disk encryption software DiskCryptor wrapped in a program which installs and starts disk encryption in the background using a key of the attacker’s choosing….The ransomware extracts a set of files and installs an encryption service. The ransomware program restarts the system about two minutes after installation of DiskCryptor to complete driver installation.”

The Alert lists the key artifacts, which can be accessed here.

The FBI recommends the following mitigation:

  • Regularly back up data, utilize air gap network security measures, and password protect backup copies offline. Ensure that copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Implement network segmentation.
  • Require administrator credentials to install software.
  • If DiskCryptor is not used by the organization, add the key artifact files used by DiskCryptor to the organization’s execution blacklist. Any attempts to install or run this encryption program and its associated files should be prevented.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
  • Install updates/patch operating systems, software, and firmware as soon as they are released.
  • Use multifactor authentication where possible.
  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.
  • Disable unused remote access/RDP ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Install and regularly update anti-virus and anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.

Applus Technologies, Inc., a vendor of multiple state Departments of Motor Vehicles that assists states with vehicle inspections, recently announced that its systems have been affected by malware, disrupting motor vehicle inspections in Connecticut, Georgia, Idaho, Illinois, Massachusetts, New York, Texas, and Utah. As a result of the outage, vehicle inspections have not been able to be completed since March 30, 2021.

This is obviously very inconvenient for those individuals whose inspection stickers have or will expire shortly, as they are at risk of being issued a citation for an expired inspection sticker, on top of having to take time off to take their car to get inspected.

To address this concern, the Massachusetts Registry of Motor Vehicles (RMV) said, “[R]ecognizing the inconvenience Applus’ outage is causing, the RMV has been in communication with law enforcement to request cooperation and discretion in citing those with an expired sticker who may have attempted to visit a station this week.” The RMV has extended a grace period of one month to drivers who were unable to get their inspection stickers because of the outage.

After inspections were delayed a week, on April 7, 2021, Applus forwarded a software patch to service stations to try to fix the problem. However, it is being reported that Applus forwarded the patch to service stations on flash drives! Flash drives are notorious for being used to plant malicious malware and ransomware in users’ systems. Sending a patch on a flash drive is completely contradictory to security best practices.

Applus has stated that it does not believe that any customer (i.e., service station) financial information has been compromised, but is working with a forensic expert.

Lesson learned: get your inspection sticker in plenty of time before it expires.

The California Attorney General recently approved modified regulations under the California Consumer Privacy Act (CCPA). One part of the modified regulations bans “dark patterns” on a website. What are dark patterns? Public comments to the proposed regulations describe dark patterns as deliberate attempts to subvert or impair a consumer’s choice to opt-out on a website. Dark patterns could be used on a website to confuse or distract a consumer into granting knowing consent instead of choosing the opt-out option.

The modified regulations therefore ban the use of dark patterns that:

  • Use an opt-out request process that requires more steps than the process for a consumer to opt back into the sale of personal information after previously opting out;
  • Use confusing language (e.g., double-negatives, “Don’t Not Sell My Personal Information”);
  • Require consumers to click through or listen to unnecessary reasons why they should not submit a request to opt-out before confirming their request;
  • Require a consumer to provide personal information that is unnecessary to implement an opt-out request; or
  • Require a consumer to search or scroll through the text of a website or privacy policy to submit the opt-out request after clicking the “Do Not Sell My Personal Information” link (but before actually choosing the option).

If your website uses any such dark patterns you may wish to revise those mechanisms and implement clearer, more transparent methods for your website’s users to opt-out.