Takeaway: CISA and CGYBER recommend all organizations who did not immediately apply available patches to assume Log4Shell compromise and initiate threat hunting activities.
In December 2021, the world was held hostage by hackers who found certain vulnerabilities in Log4Shell and exploited them. As part of this exploitation, suspected and advanced threat actors implanted loader malware on compromised systems with embedded directives enabling remote command and control. A confirmed compromise showed that these actors were able to infiltrate a disaster recovery network and collect sensitive data.
Cybersecurity agencies and governmental policy bodies acted immediately against these threats and released patches and Malware Analysis Reports MAR-10382580-1 and MAR-10382254-1 detailing hack workarounds. But the threat was omnipresent.
The Cybersecurity and Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command (CGYBER) recently released a warning in July to network defenders that cyber threat actors continue to exploit CVE-2021-4423 (Log4Shell) in VMware Horizon and Unified Access Gateway (UAG) servers to infiltrate organizations that failed to apply patches.
Organizations are encouraged to read MAR-10382254-1 which provides examples of malware samples including indicators of comprise (IOCs) and detection signatures.
What organizations must do now is:
Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, organizations must treat all affected VMware systems as compromised.
Minimize the internet-facing attack surface by hosting essential services on a segregated demilitarized (DMZ) zone, ensuring strict network perimeter access controls, and implementing regularly updated web application firewalls (WAFs) in front of public-facing services.
For the full article and specific examples of Log4Shell threat events, go to:
https://www.cisa.gov/uscert/ncas/alerts/aa22-174a
* This blog is available for informational purposes only and is not considered legal advice on any subject matter. By viewing blog posts, the reader understands there is no attorney-client relationship between the reader and the blog publisher. Read More
Takeaway: The recent vulnerabilities in Apple software has exemplified the importance of patch management and keeping devices up to date with the latest operating systems and software in order to protect the security of devices.
The recent data breach reported by Apple, Inc. (“Apple”) has once again brought global attention to privacy threats caused by security flaws and vulnerabilities.[1] On Wednesday, August 17, 2022 Apple released two emergency updates in response to zero day threat, or an attack that targets a previously unknown security vulnerability. The updates affected the following products: “iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)” as well as Safari and Mac computers running macOS Monterey.[2] Given that there are over 1.5 billion active Apple products in use worldwide, the vulnerability had potentially significant reach.[3]
The vulnerabilities have the following CVE-IDs: CVE-2022-32893 and CVE-2022-32894. The aim of the Common Vulnerabilities and Exposures (CVE) program is to “identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.”[4] Publishing consistent descriptions of security vulnerabilities allows organizations around the world to coordinate their efforts to prioritize and respond to the vulnerabilities, which maintains the integrity of devices and systems.[5] CVE is sponsored by the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA).
Apple described the security updates as an “out-of-bounds write issue was addressed with improved bounds checking.”[6] This means that the attacker could write data before the beginning or after the end of the intended buffer which can cause a crash, corruption of data, or code execution.[7] The issue was addressed by procedures meant to catch errors and protect the integrity of operations by ensuring that certain variables are within the bounds of an array before use. Read More
Takeaway: As cybersecurity risk increases, large enterprises and government agencies are, increasingly, forcing smaller vendor companies to obtain cyber insurance to help manage the risk of a data breach. To prepare for an annual cybersecurity insurance renewal or initial application, consider the following practices which could help address the risks most concerning to an insurer.
Although cybersecurity risk is a persistent concern for law makers and regulators, a national regulatory standard in the United States does not appear imminent. If, however, your company has applied for cybersecurity insurance recently, the application process may have seemed like a compliance audit. Cybersecurity insurance questionnaires, as complex as they have become, are usually inquiring about common practices that most businesses should feel confident investing in and implementing.
For the most part, the cybersecurity practices desired by insurance underwriters – in the ever-changing world of cyber risk management – are the same, or similar in nature, to the administrative and technical safeguards required under various State and federal security standards. To prepare for an annual cybersecurity insurance renewal or initial application, consider the following practices which could help address the risks most concerning to an insurer and, perhaps even, reduce the insurance premium.
Implement Written Information Security Policy (WISP) and Incident Response Plan (IRP) – The objective of a WISP is to guide the implementation of the proper technical, administrative, and physical safeguards needed to protect an organization’s data. An IRP helps reduce the impact of a breach by creating a structured and systematic plan of response in the event of an incident affecting an organization’s systems, network, or data, including any data held by outside vendors or service providers. The IRP will also govern contingency plans like encrypted backups of your IT system and data.
Password Management and Multi-Factor Authentication (MFA) – Anyone accessing a system, network or data should be asked to provide multiple methods of validating their identity. Read More
Takeaway: Governor Wolf signed a bill that authorizes the governor to order the Pennsylvania National Guard to assist local governments and private entities with cybersecurity support, training, and more.
On July 7, 2022, Governor Wolf approved House Bill 2412, which authorizes the governor additional powers under Title 51 to order the Pennsylvania National Guard to support State and Local government entities with cybersecurity support, training, exercises, and more. [1]
This legislation permits the governor to “to mobilize our experts through a special state duty status to protect our vital systems and securing personal information.” [2] The two military cybersecurity teams in Pennsylvania primarily subjected to the governor’s orders under this bill are the PA Army National Guard Defense Cyber Operations and the PA Air National Guard 112th Cyberspace Operations Squadron. [3]
Trained military cybersecurity experts can now support local governments and non-government critical infrastructure entities after those entities submit requests for assistance. [4] State and Local governments and designated critical infrastructure can receive operational cybersecurity support. Private and educational institutes can receive training and exercises from the Guard.
During a House Veterans Affairs & Emergency Preparedness Committee meeting in April, a sponsor of this Bill and the Cybersecurity Caucus Chair, state Rep. Craig Williams, R-Delaware, said that “We don’t know how many times we’ve been intruded in the cyber space.” [5] Further, Rep. Williams stated, “[Malware] is the leading front of asymmetrical warfare … Part of the effort by Rep. Gaydos and I is to raise awareness about this and try to get some lateral coordination and communication going.” [6]
This new legislation will be particularly beneficial to smaller Pennsylvania local governments without the resources to combat cybercrime independently. With the assistance of the PA National Guard, these government entities can receive actual aid in battling cybercrime and the training necessary to thwart future attacks through educational programs provided by military professionals. Read More
Takeaway: The DOJ’s Cyber Fraud Initiative and qui tam actions under the False Claims Act represent signification enforcement mechanisms for cybersecurity contractor compliance.
On the eve of 2022, the United States began imposing new, punitive cybersecurity measures aimed at making the internet a safer platform for businesses to share and use data. As a direct result, cybersecurity contractors working in the defense industrial base are being targeted by the Department of Justice, resulting in a rapid increase of settlements under the False Claims Act.
Just a few weeks ago, the Department of Defense issued a memorandum reminding contracting officers about their remedies against contractors that fail to implement NIST 800-171 cybersecurity controls. NIST 800-171 is a self-administered cybersecurity requirement for all DoD contractors. The DoD memorandum urges contracting officers to use available remedies, withholding progress payments, foregoing remaining contract options, and potentially terminating the contract in part or in whole.[1]
The following cases serve as cautionary tales to cybersecurity contractors:
If a cybersecurity contractor knowingly fails to comply with material cybersecurity requirements, the contractor could be exposed to liability via qui tam actions under the False Claims Act.[2]
The recent Aerojet Rocketdyne settlement is foretelling.[3] Aerojet’s Senior Director for Cybersecurity filed the Aerojet action in April as a whistleblower under the False Claims Act. The action alleged that Aerojet fraudulently induced the government to contract with the aerospace company by not fully disclosing its non-compliance with DoD cybersecurity requirements. The action sought $19 billion in damages.
The evidence showed that Aerojet communicated with the government about its non-compliance as it had sought a waiver of certain requirements. The presiding court, however, found “a genuine dispute of material fact [] as to the sufficiency of the disclosures” and thus denied Aerojet’s motion for summary judgment. The court found, upon a deeper investigation, that Aerojet failed to disclose pertinent information about cyber audits conducted by external firms, as well as past security breaches. Read More
Takeaway: With ransomware attacks increasing over the past few years, healthcare organizations can expect hackers to make ransom demands while holding their computer systems hostage.
Everything comes back in style. In the 90s, computer hackers learned how to infiltrate networks, hold them hostage, and demand payment to make them functional again. Recently, this strategy has resurged in the healthcare industry, potentially placing people’s lives at risk.
From 2021 to 2022, the number of ransomware attacks on healthcare organizations skyrocketed by 94%. This resulted in two-thirds of healthcare organizations in the U.S. experiencing some form of a ransomware attack in 2021, up from 34% in 2020. According to cybersecurity experts, ransomware attacks on healthcare organizations were always common. But it is the increase in frequency and severity of these attacks now that is worrisome.
These attacks can have devastating consequences. Most recently in San Diego, California, treatments at a chemotherapy facility were delayed and, at another healthcare facility, ambulances were diverted from the emergency room after computer systems were frozen by an attack. In 2021, the first lawsuit alleging “death by ransomware” occurred where a mom sued a hospital for fatal brain damage to her newborn after heart rate monitors failed because of an attack.
Healthcare facilities are high-profile targets because attackers know the facilities are willing to pay high ransoms to safeguard people’s lives. In fact, 61% of healthcare organizations paid attackers ransom to resolve a ransomware attack in 2021.
Most of these attacks are carried out by private criminal groups. Conti, a crime syndicate out of Russia, was traced back to 30% of ransomware attacks in 2021. And just two weeks ago, the FBI revealed in June that it successfully thwarted an attack from Iran on a children’s hospital in Boston.
As this unsophisticated tactic of the recent past resurfaces, organizations that utilize or transmit private health information must ensure that they are prepared. Read More
Takeaway: Although the enactment of the Italian Sunshine Act furthers the global expansion of healthcare transparency, the implied consent provision may not comply with the GDPR.
I. Overview and Requirements of the New Italian Sunshine Act
Law n. 62 of May 31, 2022[1], or the Italian Sunshine Act, took effect on June 26, 2022. This law requires transparency of “relationships, having economic relevance or advantage, between companies producing drugs, tools, equipment, goods and services, including non-medical ones, and the subjects who operate in the health sector or health care organizations” for the first time in Italy. The Sunshine Act advances the right to knowledge of economic relationships in the healthcare sector by broadly defining its reach. Article 1 notes that the law is aimed to promote transparency as well as prevent and fight corruption.
Article 5 establishes an online public registrar that will become active through the Ministry of Health within six months of the date of entry into force of law. Data will be reported and published bi-annually and will remain publicly available for five years. The Minister of Health will consult with the Agency for Digital Italy, the National Anti-Corruption Authority, and the Italian Data Protection Authority within three months from the date of entry of the law to determine the best technical characteristics of the electronic public registrar and the requirements for transmission of data.
The Italian Sunshine Act requires disclosure of three types of financial arrangements described in Articles 3 and 4.
First, agreements or disbursements of money, goods, services, or other benefits between a manufacturing company and (a) a subject operating in the health sector, when they have a value unit greater than 100 euros or a total annual value amount greater than 1,000 euros, or (b) a health organization, when they have a value unit greater than € 1,000 or a total annual value amount greater than 2,500 euros must be reported every semester. Read More
Takeaway: President Biden recently signed into law the “Federal Rotation Cyber Workforce Program Act” and the “State and Local Government Cybersecurity Act”. With these new laws, the Biden Administration is attempting to build a more robust cybersecurity workforce and aid local governments in combating cybercrime.
On June 21, 2022, President Biden signed two bills to combat the war on cybercrime. The two bills are the “Federal Rotation Cyber Workforce Program Act” and the “State and Local Government Cybersecurity Act.”[1]
The Federal Rotation Cyber Workforce Program Act creates a rotating program for cybersecurity and information technology professionals to have the opportunity to work in various federal agencies to sharpen their expertise. The Senate passed this bill in 2019, but the House only voted on it this year. [2]
The State and Local Government Cybersecurity Act looks to improve the coordination between the Department of Homeland Security and local governments when battling cybercrime. [3]. This bill requires the National Cybercrime and Communications Integration Center (NCCIC) to share with states its security tools and protocols for dealing with cybercriminals.
Representative Joe Neguse (D-CO), who introduced this bill, stated:
“For hackers, state and local governments are an attractive target — we must increase support to these entities so that they can strengthen their systems and better defend themselves from harmful cyber-attacks.”[4]
Local governments are in need of help from federal agencies because of the sophistication of modern cyber-attacks. These recently passed bills will aid in creating a more extensive network of well-informed cybercrime fighters and agencies.
[1] S. 1097: Federal Rotational Cyber Workforce Program Act of 2021; S. 2520, the “State and Local Government Cybersecurity Act of 2021.
[2] Madeline Lauver, US passes bills to foreground national security, Security Magazine, June 23, 2022, https://www.securitymagazine.com/articles/97873-us-passes-bills-to-foreground-national-cybersecurity.
[3] Zach Schonfeld, Biden Signs cyber bills into law, THE HILL, June 6, 2022, 3:35 pm EDT, https://thehill.com/policy/cybersecurity/3531553-biden-signs-cyber-bills-into-law/. Read More
Takeaway: To ensure investor safety and emphasize a commitment to user privacy, corporate executives and similarly-situated high ranking officers must not provide any statements or omissions that affirmatively create a misleading impression of the current “state of affairs that differed in a material way from the one that actually existed.” But what qualifies as a misleading statement or omission? This question has recently been addressed by the Ninth Circuit in the context of Securities Fraud claims, which requires a plaintiff to plead and prove that: (1) the defendant omitted material facts necessary in order to make the statements not misleading; and (2) scienter on behalf of the person making the statement.
Section 10(b) of the Securities Exchange Act of 1934, the SEC prescribed Rule 10b-5, makes it unlawful:
(a) To employ any device, scheme, or artifice to defraud,
(b) To make any untrue statement of a material fact or to omit to state a material fact necessary to make the statements made, in the light of the circumstances under which they were made, not misleading, or
(c) To engage in any act, practice, or course of business which operates or would operate as a fraud or deceit upon any person, in connection with the purchase or sale of any security.
The United States Supreme Court has interpreted Section 10(b) and Rule 10b-5 as providing an implied private cause of action.[1] In a typical § 10(b) private action” based on material misrepresentations or omissions, a plaintiff must prove “(1) a material misrepresentation or omission by the defendant; (2) scienter; (3) a connection between the misrepresentation or omission and the purchase or sale of a security; (4) reliance upon the misrepresentation or omission; (5) economic loss; and (6) loss causation.[2]
Under Section 10(b) and Rule 10b-5(b), “the maker of a statement is the person or entity with ultimate authority over the statement, including its content and whether and how to communicate it.”[3] Read More
Takeaway: The DOJ’s recent revisions to their internal policy promote the Department’s goals that the CFAA is applied consistently by government attorneys and better understood by the public. These goals ensure that the law adequately responds to evolving cybersecurity and privacy challenges.
On May 19, 2022 the Department of Justice announced[1] revisions to their policy[2] that federal prosecutors must consult before bringing any charges under the Computer Fraud and Abuse Act (“CFAA”).[3] The CFAA provides protection against unauthorized access or damage to a protected computer such as hacking and imposes both civil and criminal penalties for violations. Because the definition of “protected computer” includes computers used in or affecting interstate or foreign commerce or communications, courts have held that any computer connected to the internet falls within the scope of this definition.[4] Thus, clarification on the scope of the potentially wide-reaching Act will ensure more consistent application and enforcement.
The revised policy states that “[t]he Department’s goals for CFAA enforcement are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems.”[5]
The revisions note for the first time that government attorneys should decline prosecution if the defendant’s conduct qualifies as “good-faith security research,” which is defined as “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.” Prosecutors must confer with the Computer Crime and Intellectual Property Section (“CCIPS”) of the Criminal Division prior to charging under the CFAA and accordingly can seek guidance as to whether the Defendant’s conduct falls within the definition of good faith research.[6] Read More
May 17, 2024
Pietragallo is pleased to announce that 24 lawyers have been named to the 2024 Pennsylvania Super Lawyers and Rising Stars list. Read More