The Rundown Oct 25

10-25-2024
David S Harris
infostealer
SEC Fines
Ransomware Payments
Fidelity Data Breach
Nidec Data Breach
Autobell Data Breach

SEC Fines Four Companies $7M for Inadequate Cybersecurity Disclosures

The U.S. Securities and Exchange Commission (SEC) revealed on Tuesday that four companies were fined a total of $7 million for issuing misleading cybersecurity statements, particularly related to the significant 2019 SolarWinds cyberattack. The companies:

  • Unisys Corp.

  • Avaya Holdings Corp.

  • Check Point Software Technologies Ltd.

  • Mimecast Limited

were found to have understated the impact of their breaches, withholding full details from investors and the public.

According to the SEC, these companies made “materially misleading disclosures regarding cybersecurity risks and intrusions.” Additionally, Unisys was cited for failing to uphold adequate disclosure controls. Fines varied from nearly $1 million to $4 million per company.

The SEC’s findings showed that all four companies, impacted by the SolarWinds breach, inaccurately presented the extent of the incidents. In SEC reports, they minimized the effects or described risks hypothetically, despite knowing their systems had been compromised.

Unisys Corp., was fined the largest amount at $4 million, was noted for incorrectly categorizing cybersecurity risks as hypothetical, despite two significant breaches tied to SolarWinds. These breaches involved the unauthorized access and extraction of over 33 GB of data from Unisys’s systems. The SEC also highlighted Unisys’s lack of proper internal controls to ensure accurate and prompt disclosure of high-risk events.

Avaya Holdings Corp. received a $1 million fine for omitting critical details about its SolarWinds-related breach. Avaya’s filings mentioned only “a limited number of company email messages” accessed by attackers, though it knew that at least 145 files from its cloud environment were compromised. Furthermore, threat actors monitored the emails of Avaya’s cybersecurity responders, adding to the severity.

Check Point Software Technologies Ltd. was fined $995,000 for using overly generic language to downplay cybersecurity risks, even after discovering malware and hacker movement within its network. Mimecast Limited received a $990,000 fine for minimizing the details of its breach, which involved the extraction of key code and encrypted credentials. The SEC noted Mimecast’s omission of crucial information about the data stolen and the level of compromise.

The SolarWinds breach compromised the IT management software, affecting numerous U.S. government agencies and private entities. This incident is now a reference point for cybersecurity management and disclosure standards.

Growing Concerns Over Ransomware Payments and Cyber Insurance Coverage

The U.S. government is seeking ways to disrupt ransomware operations responsible for thousands of attacks each year, including urging cyber insurance providers to stop covering ransom payments. A senior cybersecurity advisor stated, “This troubling practice must end.”

While the FBI advises against paying ransoms, officials understand that companies may feel compelled to regain control of vital systems. With 2024 expected to be a record year for ransomware incidents, officials are advocating for a new approach to handling ransom demands.

A report from the Office of the Director of National Intelligence reveals over 2,300 ransomware incidents recorded by mid-2024, nearly half affecting U.S. organizations. As operational downtimes and potential exposure of sensitive data threaten reputation and financial stability, companies face tough decisions. Some companies, like Pennsylvania-based Lehigh Valley Health Network (LVHN), have faced lawsuits for refusing ransom payments. After the ALPHV/BlackCat gang leaked sensitive patient data following a ransom standoff, LVHN’s decision led to a class-action lawsuit that eventually cost $65 million in settlement fees.

The Cyber Incident Reporting for Critical Infrastructure Act, expected to take effect in October 2025, will require critical infrastructure organizations to report any ransomware payments, increasing pressure on entities in sectors like healthcare to disclose ransomware dealings publicly.

Healthcare Ransomware Attacks Surge as Microsoft Reports Over 389 Cases

Microsoft reported Tuesday that 389 U.S. healthcare facilities faced ransomware attacks in the past year, leading to delayed procedures and rescheduled appointments. The company’s latest Digital Defense Report noted a 2.75x increase in human-operated ransomware incidents among its customers, although the rate of encryption—locking systems for ransom—has significantly declined over the past two years.

Experts warn that the rise in Internet of Things (IoT) devices and unvetted workplace tools has exposed organizations to greater risk, creating openings for cyber threats across industries.

Cisco Data Breach May Expose Microsoft, Barclays, and SAP Developer Data

Cisco is investigating claims of a data breach after the hacker “IntelBroker” allegedly leaked a sample of stolen customer data on BreachForums. The breach reportedly affected sensitive developer data for customers including Microsoft, Barclays, SAP, T-Mobile, AT&T, and Verizon. Stolen data included source code, credentials, certificates, and API tokens. IntelBroker, a known threat actor with a history of high-profile breaches, has reportedly targeted several major entities in 2024, such as T-Mobile, AMD, and Apple.

Fidelity Investments Data Breach Exposes Personal Data of 77,000 Customers

In August 2024, Fidelity Investments, a leading global asset management company, experienced a cybersecurity breach that exposed sensitive personal data belonging to 77,000 clients. The attack, which occurred between August 17 and 19, involved unauthorized access to Social Security numbers, driver’s licenses, and other personal details, putting clients at risk of identity theft and fraud. Threat actors gained entry by posing as new clients, a tactic that allowed them to bypass initial security measures and infiltrate the company’s database.

Although Fidelity detected suspicious activity two days after the breach, the attackers had already accessed and stolen the data. Following the breach, Fidelity assured customers that their personal assets and accounts remained secure, yet the company withheld specific details on how the breach occurred, leading to concerns about security protocols. Fidelity has informed affected customers of the breach, advising them to monitor for identity theft, fraudulent credit applications, and other unusual activities in the coming months. This incident underscores the heightened vulnerability of financial institutions to cyberattacks targeting sensitive customer data and has raised questions about the sufficiency of data protection measures at large asset management firms.

Nidec Corporation Ransomware Attack Leaks Sensitive Business Data

Nidec Corporation, a major player in precision motor and component manufacturing, confirmed a data breach involving its Vietnam-based Nidec Precision division. Specializing in optical, electronic, and mechanical equipment for the photography industry, this division fell victim to a ransomware attack that compromised its VPN account credentials, allowing attackers to access a server containing extensive confidential information. The cyberattack exposed over 50,000 files, including internal documents, business contracts, safety policies, and communications with business partners.

The ransomware group initially attempted to extort Nidec for payment, threatening to leak the stolen data publicly if their demands were unmet. When the company refused to negotiate, the attackers began posting the stolen data on the dark web. Nidec has since remediated the security vulnerabilities, closed the entry point, and implemented additional safeguards based on cybersecurity experts' recommendations. The company is in the process of directly notifying affected business partners. While Nidec has not identified the specific group behind the attack, it acknowledged the compromised data originated from its systems and warned employees, contractors, and associates to be cautious of potential phishing attacks exploiting the leaked information. The breach emphasizes the ongoing risk ransomware attacks pose to global manufacturing companies and their extensive networks of partners.

Autobell Car Wash Breach Exposes 52,000 Customers’ Personal Information

Autobell, one of the largest car wash networks in the U.S. with over 80 locations, reported a cybersecurity incident that exposed personal data of 52,000 customers in April 2024. The breach allowed attackers to move through Autobell’s network over six days, during which they accessed sensitive customer information, recorded calls, user data, payroll details, contracts, and other critical documents. However, it took the company more than five months to identify and disclose the scope of the breach.

In response, Autobell hired a cybersecurity firm to conduct an investigation. The Maine Attorney General was informed that attackers had accessed names and other personal identifiers, though the full range of exposed data remains unclear. The Medusa ransomware gang, known for publicizing their attacks, claimed responsibility by listing Autobell on their dark web blog in early May 2024. They reported stealing 183.3GB of data and likely intended to use the data to increase pressure for ransom payments by exposing Autobell’s business practices to public scrutiny.

With the rise in ransomware attacks on medium-sized and service-based businesses, Autobell’s breach highlights the need for these companies to improve their cybersecurity postures, especially as they handle vast amounts of customer information. The incident also reflects the increasing sophistication of ransomware groups, who leverage stolen data to amplify public awareness and compel victims to pay substantial ransoms to avoid reputational damage.

Infostealer Campaign Uses Fake Google Meet Pages

Cybercriminals have been deploying fake Google Meet pages in a new campaign, “ClickFix,” to deliver infostealers targeting Windows and macOS systems. This social engineering tactic involves displaying fake error messages to trick users into running malicious PowerShell code. With over 6,000 compromised WordPress sites, this campaign bypasses conventional security tools by having users manually execute the malware, highlighting the rising risks in open-source security tools.

The Rundown Nov 17
11/17/2024
David S. Harris
The Rundown Oct 11
October 11, 2024
David Harris
The Rundown Aug 20
The Rundown Aug 20
Aug 20, 2024
David Harris
The Spider's Web: Unraveling the MGM Grand Cyber Assault and Safeguarding the Future
The Spider's Web: Unraveling the MGM Grand Cyber Assault and Safeguarding the Future
Oct 10, 2023
James McGill
Zacks Data Breach: What We Know So Far
Zacks Data Breach: What We Know So Far
August 3, 2023
James McGill
Razer Data Breach: What We Know So Far
Razer Data Breach: What We Know So Far
August 2, 2023
James McGill