Merck, Insurers Reach NotPetya Settlement; FBI Sending More Cyber Agents to US Embassies

Make sure you’re current on what your cyber insurance will and will not cover, and adjust accordingly. Before you let your legal team convinces you they can get the desired outcome regardless of the Insurance Company’s position, consider that Merck’s been working this settlement since 2017 and you may not be able to survive that long waiting on remuneration.

Lee Neely

We now have case law on what is or isn’t considered ‘acts of war’ when it comes to cyber events. Next up will be determining the legal definition of 'nation-state-backed cyberattacks' and how they affect insurance coverage. One can expect that the insurance industry will further refine exclusion policies, as well as increase the cost of coverage because of the settlement.

Curtis Dukes

Part of this is to address recent international takedown efforts which haven’t been resulting in arrests. Another part is to increase staff in place to respond to the increased need for cooperation on tracking and taking down international cyber gangs. Local resources, with corresponding connections, context and presence, should help increase the effect of these efforts as they are typically far more effective than working from afar.

Lee Neely

Cybercrime is an international issue and has been for several decades. In many ways, international cooperation is built on close, personal relationships. This placement creates that synergy to be effective in fighting cybercrime.

Curtis Dukes

One interesting aspect of the recovery is that the library had a reserve fund to finance such an incident and is not reaching out to traditional sources for added funding to get back online. Have you documented how a ransomware recovery would be funded in your shop? Make sure the thinking doesn’t stop after filing the insurance claim, or just asking for more money.

Lee Neely

As AI keeps evolving, it’s important to understand how it can be attacked or manipulated to achieve malicious intent or results. By creating a reference Taxonomy and Terminology, this should make it easier for us to discuss and develop protections for AI (generative and predictive).

Lee Neely

Although the company has informed regulators and law enforcement, they have yet to declare it had a material impact. It’s hard to believe that a ‘cybersecurity incident’ that bears all the trademarks of a ransomware attack wouldn’t have a material impact on the company. This will be a good test drive of the newly established SEC cybersecurity rules.

Curtis Dukes

LoanDepot is a non-traditional bank or non-bank which services about $140 billion in loans with about 6,000 employees; the impact could be quite large. If you’re a LoanDepot customer, given the sensitivity of your data associated with that loan, you may want to subscriber to credit/identity monitoring and restoration services just to get the ball rolling.

Lee Neely

This appears to be a case of erring on the safe side. LoanDepot was timely in disclosing the breach, which was detected over the weekend. Notification to the SEC was within four days. However, there is no mention in the reports of a determination by LoanDepot of materiality."While we do need experience with the rule, this case may not be helpful.

William Hugh Murray

The breach occurred between February 28 and March 13, 2023, and attackers had access to Orrick’s client data storage file servers. They have taken steps to raise the bar and prevent recurrence. While Orrick has not detected any misuse of the breached information, they have settled four class-action lawsuits related to this breach.

Lee Neely

Legal firms are frequently targeted as they host client data of interest to cyber criminals and more likely to pay a ransom should they become a victim.

Curtis Dukes

The outage impacts museums using the hosted version of their software. No ransomware gang has taken credit for the attack, and Gallery Systems hasn’t published a service restoration date. Gallery Systems is restoring the most recent backups of customer data as well as using their customer notification system to keep them apprised/updated.

Lee Neely

Apache OFBiz is a component used in other software, like for example in JIRA. The flaw is particularly unfortunate as it was meant to be patched a while ago, but OFBiz developers did not understand the full impact of the flaw and only created a partial fix for the underlying authentication bypass.

Johannes Ullrich

CVE-2023-51467, authentication-bypass, carries a CVSS score of 9.8 and is being actively targeted. OFBiz is an open source ERP framework that includes business automation capabilities. The fix invokes better input validation checks when the field is empty, and the update appears pretty simple/low risk.

Lee Neely

Kudos to SonicWall for researching the original vulnerability and determining root cause. Given that Apache’s software framework is used by many e-commerce sites, prioritize the vulnerability, and immediately update to the newer version of OFBiz.

Curtis Dukes

The SQL injection flaw can be used to discover secrets used to manage devices connected to a particular Ivanti instance. These secrets can then be used to execute code not just on the Ivanti instance but on any device connected to it.

Johannes Ullrich

CVE-2023-39336 has a CVSS rating of 9.6 and has a low difficulty level of exploit. Ivanti claims attackers need internal network access for exploitation, but with the numbers of telecommuters, it’s tricky to assess what’s protected by a corporate firewall or otherwise. The best bet is to deploy the update, setting Internal/External aside. Make sure you’re applying EPM 2022 Service Update 5, 2021.1 Service Update 5 doesn’t include the fix.

Lee Neely

QNAP devices are already targets for adversaries because of the likelihood of unpatched vulnerabilities and often being Internet accessible. Beyond making sure your QNAP devices are updated, not Internet accessible, and verifying both the user accounts and installed applications, make sure you’re subscribed to the QNAP security advisories. (https://www.qnap.com/en-us/security-advisories)

Lee Neely