Cybersecurity Threats & Vulnerabilities
Cybersecurity has never been more important to both companies and individuals as unauthorized access and fraud continue to rise. The FBI’s 2019 Internet Crime Report fielded 467,361 complaints of suspected Internet crime, with reported losses in excess of $3.5 billion. This staggering statistic, coupled with several recent prosecutions by the U.S. Department of Justice (“DOJ”) last month alone, proves that cybersecurity is a growing concern that requires significant attention.
This alert will discuss recent hacking, malware, and intrusion cases, trends, and provide five takeaways for companies to maintain and improve sound cybersecurity practices.
Recent Cyber Prosecutions & Events
On July 7, 2020, the DOJ in Seattle announced charges against a member of a cybercrime group, “fxmsp,” for a prolific hacking scheme that targeted computer networks of corporate entities, educational institutions, and governments around the world. The fxmsp group established persistent access, or “backdoors,” to victim networks, which they then advertised and sold to other cybercriminals subjecting victims to a variety of cyberattacks and fraud. The group employed a collection of hacking techniques and malware to gain entry and maintain access to victim networks. For example, the group used a code to scan the Internet for open Remote Desktop Protocol (RDP) ports and conduct attacks to initially compromise victim networks. Upon entry, the group was able to move throughout networks to implant malicious code to locate and steal administrative credentials and establish persistent access. The group even modified victim networks’ existing antivirus software settings to allow malware to continue to run undetected.
Once the group infiltrated victim networks, it then marketed and sold network access on various underground forums commonly frequented by hackers and cybercriminals for prices ranging from several thousand dollars to over a hundred thousand dollars, depending on the victim and the degree of system access and controls. The DOJ charged the leader of “fxmsp” with conspiracy to commit computer hacking, two counts of computer fraud and abuse (hacking), conspiracy to commit wire fraud, and access device fraud.
On July 31, 2020, the DOJ in San Francisco announced charges against three individuals for a brazen and widespread hack of numerous Twitter accounts belonging to politicians, celebrities, and musicians. The hackers are alleged to have created a scam Bitcoin account, to have hacked into Twitter VIP accounts, to have sent solicitations from the Twitter VIP accounts with a false promise to double any Bitcoin deposits made to the scam account, and then to have stolen the Bitcoin that victims deposited into the scam account. As alleged in the complaints, the scam Bitcoin account received more than 400 transfers worth more than $100,000. Bitcoins served as an important part of the scheme to gain access, but it was also the group’s undoing since it allowed law enforcement to identify and apprehend the alleged hackers within weeks by analyzing the blockchain and de-anonymizing Bitcoin transactions.
On July 31, 2020, the DOJ in Nevada secured a guilty plea for a principal of “Infraud,” an Internet-based cybercriminal enterprise engaged in the large-scale acquisition, sale, and dissemination of stolen identities, compromised debit and credit cards, personally identifiable information, financial and banking information, computer malware, and other contraband.
For over seven years, Infraud operated in the nefarious practice of “carding” — purchasing retail items with counterfeit or stolen credit card information — over the Internet. It directed traffic and potential purchasers to the automated vending sites of its members, which served as online conduits to traffic in stolen means of identification, stolen financial and banking information, malware, and other illicit goods. Infraud also provided an escrow service to facilitate illicit virtual currency transactions among its members and employed screening protocols that purported to ensure only high quality vendors of stolen cards, personally identifiable information, and other contraband were permitted to advertise to members.
Infraud served a tremendous demand across the globe. It had over 10,901 registered members seeking its illicit services and inflicted approximately $2.2 billion in intended losses, and more than $568 million in actual losses, on financial institutions, companies, and individuals.
While the DOJ has taken aggressive enforcement measures on various intrusions, the volume of attacks and international investigative challenges make its efforts largely reactive, shifting the burden to companies to take protective measures or suffer major operations disruptions. For example, a recent ransomware attack by a Russian cybercriminal gang which calls itself “Evil Corp” took Garmin, the GPS and smartwatch business, entirely offline for more than three days. Garmin restored services to customers after three days after being held hostage for a reported ransom of $10 million, although some services were still operating with limited functionality.
This past spring, the cloud computing company, Blackbaud, suffered a cyberattack. Blackbaud assists higher education institutions and nonprofit organizations manage donor databases. The attack accessed private information from donors to at least 16 U.S. universities and more than 200 organizations internationally.
Here are five takeaways based on these recent cases and emerging trends:
- According to the FBI’s Internet Crime Complaint Center, the top four crime types reported by victims in 2019 were phishing/vishing/smishing/pharming, non-payment/non-delivery, ransomware, and extortion. Companies can take proactive measures to guard against these types of intrusions —which are particularly popular during the pandemic given the number of employees working remotely —such as: (1) training employees in security principles; (2) establishing basic security practices and policies for employees; (3) updating computers, and networks with the latest security software; and (4) instituting update patches and firewalls to prevent outsiders from accessing data on private networks.
- Compliance policies and procedures should account for data privacy concerns and include backup procedures and action plans for unauthorized access and mobile devices, which can create significant security and management challenges, especially if they hold confidential information or can access corporate networks. Companies dealing with Personally Identifiable Information (PII) and Protected Health Information (PHI), such as pharmacies and medical health providers, must take even greater care to safeguard these types of information.
- Compliance policies should also address interfacing with third-parties, best practices on payment cards, and limiting employee access to data and information and authority to install software. With limited exceptions, no single employee should be able to access all data systems. Employees should only be given access to specific data systems that they need for their jobs, and should not be able to install any software without permission.
- Universities and research institutions dealing with foreign technology transfer may be particularly vulnerable to state-sponsored intrusion attacks. In 2018, the DOJ began the "China Initiative" to prosecute Chinese national security threats and to educate colleges, universities, and research institution personnel about potential threats and “influence efforts on campus.”
- Information sessions, performing table-top drill sessions to sketch and test responsive measures, and modernizing existing training to educate employees about vulnerabilities are vital to keep abreast of emerging new threats. Securing cyber insurance and being familiar with policy terms are other significant steps that may be taken. Lastly, internal investigations, when necessary, can help identify vulnerable areas, threats, and assist with how to handle breaches.
For more information on internal investigations, compliance programs, or data privacy and security, please contact your Quarles & Brady attorney or: