“Shields Up” Cyber Threat Alert Issued for All U.S. Organizations

By Kathie McDonald-McClure

The United States Cybersecurity and Infrastructure Security Agency (CISA) has issued a Shields UpAlert for every organization in the United States. The Shields Up Alert states that, as a result of the Russian government’s use of cyber as a key component of asserting pressure on a country’s government, military and population, “[e]very organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety.” The Shields Up Alert sets forth specific recommended actions for organizations to take, regardless of size, to:

  • Reduce the likelihood of a damaging cyber intrusion,
  • Quickly detect a potential intrusion,
  • Ensure the organization is prepared to respond to an intrusion, and
  • Maximize the the organization’s resilence to a destructive cyber incident.

Read the full Shields Up Alert here.

Apache Log4j Vulnerability in Java Applications May Pose Risk to Confidential Company and Personal Information

By: Kathie McDonald-McClure

On December 11, 2021, the United States Cybersecurity & Infrastructure Security Agency (CISA), issued a Statement regarding what it called a “critical vulnerability affecting products containing the log4j software library”.  This Statement emphasizes that end users are reliant on their vendors to inform them about the vulnerabilities and to develop patches to protect against the vulnerabilities.   Separately, CISA established a webpage for Apache Log4j Vulnerability Guidance that CISA is continually updating to impart further guidance and vendor information as they become available.  End users should be on the lookout for critical patches from their vendors.

According to the CISA Guidance, the Log4j vulnerability is being widely exploited by a growing set of malicious actors to steal information, launch ransomware attacks, or conduct other malicious activity such as taking over a company server to mine cryptocurrency.  At least 10 major technology vendors have issued statements that one or more of their products have been affected by the Log4j vulnerability: Cisco, IBM, VMware, Amazon Web Services (AWS), Fortinet, Broadcom, ConnectWise, HCL Connections, N-Able, and Okta.[1] On December 15, 2021, the Microsoft 365 Defender Threat Intelligence Team reported that a new family of ransomware, called Khonsari, is being deployed via the Log4j vulnerability on non-Microsoft hosted servers.

Continue reading

KRONOS Payroll Ransomware Attack Implicates Potential Data Breach Notification Obligations

By: Kathie McDonald-McClure

UKG, Inc., a company that provides payroll support services known as KRONOS for many U.S. companies, began notifying its customers on December 12, 2021, that the KRONOS Private Cloud (KPC) had been attacked by ransomware.  (See UKG Kronos Private Cloud Status Updates.) The KPC products include Workforce Central, TeleStaff, Healthcare Extensions and Banking Scheduling Solutions. UKG reports that the KPC solutions may be unavailable for “several weeks.”  Affected companies are diligently working to find alternative solutions to process their payrolls in the interim. UKG has created a KPC Incident Resource Hub to assist customers impacted by the KPC disruption in services.

The American Hospital Association (AHA) reported that the ransomware attack has impacted many hospitals and health systems that rely on KRONOS for timekeeping, scheduling and payroll.  John Riggi, AHA’s Senior Advisor for Cybersecurity and Risk, said, “A lack of the availability of those services could be quite disruptive for health care providers, many of whom are experiencing surges of COVID-19 and flu patients. … This attack once again highlights the need for robust third-party risk management programs that identify mission-critical dependencies and downtime preparedness. … [W]e urge all third-party providers that serve the health care community to examine their cyber readiness, response and resiliency capabilities.” 

In addition to the immediate payroll issues, if the ransomware attack compromises employee personal information, then it may trigger a data breach notification for these employers under state breach notification laws. 

Continue reading

Senators Propose U.S. Cybersecurity Incident Notification Law

This post was originally published on July 21, 2021. See important “Update” below.

UPDATE: On March 15, 2022, President Biden signed H.R. 2471, the Consolidated Appropriations Act of 2022, which includes the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“The CIRCI Act”). The CIRCI Act, which appears as Division Y in H.R. 2471, has several elements proposed by the initial Senate Bill that was the subject of this article with some variations. CISA has 24 months to issue implementing regulations.

——————————————————

In light of the escalation in ransomware and other cyber threats, a bi-partisan group of U.S. Senators has released a cybersecurity notification bill titled “Cyber Incident Notification Act of 2021.” Under the proposed bill, a “covered entity” would be required to report a “cybersecurity intrusion” or “potential cybersecurity intrusion” to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of confirmation of the intrusion.  Covered entities also would be required to submit updated cybersecurity threat information to CISA within 72 hours after the discovery of new information. The requirement for updates would continue until the incident is mitigated or any follow-up investigation is completed.

Although the term “cybersecurity intrusion” would be defined in future rulemaking with public comment, the bill provides, at a minimum, that the term include ransomware if it falls into one of six broad categories. The categories include ransomware involving a nation-state, an advanced persistent threat cyber actor, or a transnational organized crime group. The categories also include ransomware that results in or has the potential to result in harm to national security interests, the U.S. economy, or to public confidence, civil liberties, or public health and safety. In essence, it would encompass most types of ransomware.

The term “covered entity” also is to be defined by future rulemaking but, per the bill, “shall include, at a minimum, Federal contractors, owners or operators of critical infrastructure, as determined appropriate by the Director based on assessment of risks posed by compromise of critical infrastructure operation, and nongovernmental entities that provide cybersecurity incident response services.” CISA’s list of critical infrastructure sectors include: Information Technology, Communications, Healthcare and Public Health, Emergency Services, Financial, Energy, Food and Agriculture, Commercial Facilities, Critical Manufacturing, among others. For a full list of CISA’s current “critical infrastructure” sectors and a detailed description of each, click here

To incentivize compliance, the law would allow the CISA Director to assess a civil penalty up to 0.5 percent of the entity’s gross revenue from the prior year for each day it violates the requirements under the law or under rules promulgated under the law. The Director would be allowed to “take into account mitigating or aggravating factors, including the nature, circumstances, extent, and gravity of the violations and, with respect to the covered entity, the covered entity’s ability to pay, degree of culpability, and history of prior violations.”

Click here to read the full Senate Bill.

Federal Agencies Warn of Cyberattacks on U.S. Hospitals

By Margaret Young Levi and Kathie McDonald-McClure

On October 28, 2020,  the Federal Bureau of Investigation (FBI), the U.S. Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a Joint Cybersecurity Advisory warning hospitals and the health care community about coordinated ransomware attacks on hospitals designed to steal data and freeze hospital information systems for financial gain. 

Six U.S. hospitals fell victim to this attack on October 27th and the FBI, HHS, and CISA have credible information that more hospitals will be targeted in this attack. The ransomware behind these attacks is known as Ryuk, which utilizes TrickBot malware and other malware to execute the attack. The Ryuk ransomware is designed to allow the cybercriminals to stealthily access, map and move laterally across the victim’s network before encrypting critical data files and deleting connected backups.

Continue reading