Are You Ready for the Next Supply Chain Attack?

On Friday Title industry software and consulting provider was hit by a ransomware attack. Cloudstar operates 6 data centers and supports over 40,000 customer users. Now those customers are wondering what are they going to do.

Cloudstar users who close real estate sales are dependent on Cloudstar’s systems being up.

Cloudstar has been down since Friday. Their CEO says he doesn’t know when the systems will be back operational.

Cloudstar’s customers are scrambling today to be able to close loans.

In the meantime Cloudstar has brought in third party experts to help them.

While it is possible that Cloudstar was specifically targeted as suggested in a Housing Wire article, no one knows if that is true or not. It is certainly possible that there were just another random victim after an employee clicked on a malicious link.

This particular software is core to the title business so it is not like a title company can do a Google search and replace it. Cloudstar’s competing service providers are circling like vultures, offering free setup and who knows what else, but the problem is that the companies that use Cloudstar’s services do not have access to the forms and client data that lives on Cloudstar’s platform, which is now encrypted. Credit: ALTA

Title companies who are affected by this attack likely must report this to their regulator as the assumption by the federal government is that ransomware equals data compromise. They also likely have to tell customers that their loan or other data may have been compromised.

Some of Cloudstar’s customers may go out of business, depending on how long Cloudstar is down. It could anywhere from a few days to a month. Or more.

In helping our clients respond to Fannie Mae audits (MORA), Fannie seems to be much more interested in regulated entitys’ ability to respond to a ransomware attack and continue to support their customers. This is yet another concern that companies need to be concerned about.

But take a step back from from the specifics of this supply chain attack. You likely have vendors that are critical to your business and which are also a single point of failure that cannot be easily or quickly replaced. Given the number of ransomware and other cyber breach attacks against service providers, companies need to prepare themselves for the possibility that they will be in the same boat as the customers of Cloudstar are today. The alternative is that you lose access to your data, your business comes to a complete standstill, you have to report to regulators and customers that you lost control of your data and potentially, face significant expenses.

Are you ready?

Additional info credit: The Title Report

Security News for the Week Ending July 16, 2021

Supply Chain Attacks Roll On

The Accellion File Transfer Appliance vulnerabilities have been the source of many breach notifcations over the last several months. For whatever reason, they seem to be dribbling out. The newest one is Morgan Stanley. In this case, it was a Morgan Stanley VENDOR that was using Accellion, so instead of the third party attacks we talk about all the time, this is a fourth party attack. Of course, Morgan Stanley will take the heat, fines and lawsuits. Are you sure your vendors have your back? What about their vendors? Credit: Data Breach Today

Senate Finally Confirms Jen Easterly as Head of DHS/CISA

After CISA has not had an official chief for 8 months and after one Senator pulled a pre-July 4th political stunt that delayed her confirmation, the Senate unanimously confirmed Easterly this week. Easterly, who retired from the Army in 2011, was the deputy director for counterterrorism at the NSA, was on the National Security Council staff at the White House and is a two time Bronze Star recipient, is an outstanding person to lead CISA after Chris Krebs was fired last year for not following the party line. Credit: CNN

Did Russia Get the Message?

Remember the Revil ransomware gang? The folks that hacked Kaseya and JBS, among others? Well their web sites are no more. Did the U.S. take them down? Did Putin decide he didn’t like the heat? Will they come back later under a different name? Not clear. But what is clear is that people who were trying to get their files decrypted by paying the ransom – they have a bit of a problem as in kinda out of luck. My guess is Biden told Putin to fix the problem or we would fix it for him and he probably would not like the collateral damage. Credit: MSN

Hackers are Hard to Kill Off

Last year around election time the Pentagon was all full of press releases that they took down a Russian hacking operation called Trickbot. They have millions of victims around the globe. Bitdefender found that they are resurrecting their tools; updating them, etc. While Bitdefender found this particular tool using a honeypot, it doesn’t that was their only tool and it certainly does not mean they will shut down. It does mean that hacker networks are so profitable, that they will come back from the dead. Credit: The Daily Beast

Want a $10 Million Prize?

The feds are offering a reward of up to $10 million for information on operations conducted by actors working for a foreign government. On Thursday, the U.S. Department of State announced that its Rewards for Justice (RFJ) program now incentivizes reports of foreign malicious activity against U.S. critical infrastructure. The actions may include extortion as part of a ransomware attack, stealing information from protected systems, “and knowingly causing the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causing damage without authorization to a protected computer.” The feds set up a Tor site to report information confidentially. Credit: Bleeping Computer

Is Your Company Ready for the Wave of Privacy Laws Here and to Come?

First it was California (version 1 and version 2); then it was Virginia. Now it is Colorado. IT IS NOT GOING TO STOP THERE.

California’s CCPA covered human resources data somewhat. CPRA covers it completely and will require HR departments to create programs to protect HR data.

This includes notices at the time data is collected, new data privacy practices, new rules for third parties that the company uses and procedures for when employees exercise their rights.

While Virginia and Colorado were the next two dominoes to fall, there are about two dozen bills in various state houses.

Some of these cover HR data; others do not.

The Colorado and Virginia are more likely to be the model going forward – with, of course, twists and turns. In part, this is because these laws are written more coherently. Of course that doesn’t mean that some states won’t model their laws after the California.

Unlike California, the Colorado and Virginia laws do not allow for a private right of action – a key contention in getting an agreement for a national privacy law. The Colorado law does allow local district attorneys to go after violators.

All of these laws have three different sets of responsibilities –

  1. Data controllers – the company or person responsible for the data
  2. Data processors – an organization that acts as an agent for the controller and in some way processes the data
  3. The individuals – who have new data rights

Even if the law in a particular state does not affect employee data, HR is likely going to need to be involved anyway. New policies and programs will affect employees in many ways and HR will need to help companies navigate the new path.

and, of course, companies are going to need to figure out where their customers and visitors are located because the laws effect is based on their location, not yours.

In addition, companies will need to engage legal talent, whether internal or external.

January 1, 2023 is really not that far away.

For more details, see this article at JD Supra

IoT Bug Could Lay Waste to Factories ….

When people talk about IoT – Internet of Things – these days, they are thinking of Amazon Alexa or Phillips Vue lightbulbs, but where IoT started was in factories and warehouses, decades ago.

Industrial automation or IIoT is still where the biggest in IoT attacks lies.

Today we learned about a critical remote code execution bug in Schneider Electric’s programmable logic controllers or PLCs.

The bug would allow an attacker to get ROOT level access to these controllers and have full control over the devices.

These PLCs are used in manufacturing, building automation, healthcare and many other places.

If exploited, the hackers could shut down production lines, elevators, heating and air conditioning systems and other automation.

The good news, if there is any, is that the attacker would need to gain access to the network first. That could mean an insider attack, a physical infiltration or something simple like really bad remote access security like that water plant in Florida. That means that you probably should not count on this extra level of hardness to protect the millions of systems that use Modicon controllers.

Schneider Electric has released some “mitigations” but has not released a patch yet.

The bug is rated 9.8 out of 10 for badness.

What is really concerning is that Schneider released patches for dozens of bugs today.

Given that IIoT users almost never install patches, this “patch release” doesn’t make me feel much better.

But it appears that the velocity of IIoT bug disclosures and patches is dramatically increasing. Given that, factory and other IIoT owners have to choose between two uncomfortable choices – don’t patch and risk getting hacked or patch and deal with the downtime. They are not going to like either choice, but they are going to have to choose.

My guess is that they are going to choose not to patch and we are going to see a meltdown somewhere that is going to be somewhat uncomfortable for the owner. An example of past similar events is the Russians blowing up a Ukrainian oil pipeline a few years ago. In the middle of winter. When the temperature was below zero.

Credit: Threatpost

What is the U.S. Going to do About Putin?

The last presidential administration went hard after China – applying sanction after sanction, but with minimal success. They also seemed to give Russia a free pass.

Many of the very public recent hacks are being attributed to Russia, including SolarWinds and Kaseya.

When Biden met with Putin in Helsinki last month, the two agreed to form a committee to address the problem.

Since it is popular understanding that Putin is directing the attacks – or at least approving them (and probably taking a cut) – it is not clear that a committee will do much.

Still, that is the step that this administration is willing to take at this time.

However, there are some hints that this administration might be willing to do more.

When Biden was specifically asked if it made sense to attack back, he responded, somewhat cryptically, with a simple YES.

When Biden was asked what he expected Putin to do, he declined to say. He did say “we’ll see”.

We need to both defend and offend.

U.S. businesses need to harden their systems to attack and redesign them to mitigate the losses. While Russia is certainly a player in the attack business, it is not the only one and even if a miracle happened and Putin shut down his revenue stream, that will only reduce the number of attacks. AND, I don’t anticipate a miracle.

At the same time the U.S. government needs to make hackers face consequences. Having the DoJ indict people that will never be arrested, like the last administration did, is not terribly effective. Every now and then we catch a stupid one who crosses into friendly territory, but all that does is teach the smart ones not to do that.

This is a hard problem, but continuing to do what we have done in the past is not going to work. Credit: The White House

Security News for the Week Ending July 9, 2021

Flash – The Gift That Keeps on Giving

Flash, that piece of garbage software that Adobe finally killed a few months ago and which, I have said, should have been killed 20 years ago, it turns out, is at the root of another supply chain hack. For many people, supply chain attacks first came to their attention after the Russians compromised SolarWinds and hacked 9 government agencies and hundreds, if not thousands, of companies. But supply chain attacks have been around for a long time. One of the earliest ones was the compromise of RSA’s secure token back in 2011. For those not familiar with that attack, it compromised every RSA secure token in the world, affecting banks, businesses and even the Pentagon. After a 10 year NDA expired, the story is now being told to Wired. And yes, the root was a Flash vulnerability. One reason this is an interesting learning experience is that RSA sort of accidentally detected the hack within a few days and played cat and mouse the hackers after that. That whole story is a lesson for all companies. Credit: Wired

Team Trump Launches Buggy Twitter Competitor

Last week former Trump spokesman Jason Miller launched a right-wing oriented social media platform called Gettr. While visually it is a Twitter clone, technically is has some work to do. The app apparently uses Twitter’s API to allow you to import your Tweets.

Apparent Trump supporter (NOT!) Ashkan Soltani said this of the app:

“This app looks like a dumpster fire that was coded from the lavatory of Donald Trump,” Soltani told Motherboard. “It literally took me longer to copy the screenshot images off of my test phone than it did to find the actual bug.”

GETTR Is the Trump Team’s Buggy, Leaky Twitter Clone (

He also demonstrated that GETTR is already well set up to be a haven for bots and fake accounts.

Don’t be surprised if they get Parlered. I don’t think Parler ever recovered from that event. Credit: Vice

Chain Gangs Are Back Again

No not that kind of chain gang. Apparently hackers in Texas and other states have decided that stealing construction equipment, attaching chains to ATMs and then connecting the two while pulling hard is a good strategy. Some ATMs can hold a quarter million dollars, but you have to pick wisely. The FBI has made more than 50 arrests in Texas and has documented at least 139 chain gang attacks. Wow! Credit: Brian Krebs

Biden Issues EO on Right to Repair, Net Neutrality

President Biden issued an EO today including 72 initiatives by more than a dozen agencies to tackle some major competition issues. In some cases, the EO asks federal agencies to do things that he cannot order them to do, so stay tuned for more action. Among the 72 items are banning or limiting non-competes that stop people from changing jobs, supporting state efforts to lower drug prices by allowing them to import drugs, allowing hearing aids to be sold over the counter at drug stores, barring manufacturers from stopping self-repairs or third party repair services, calling on the DoJ and FTC to strictly enforce antitrust laws and other requirements. This will take a while to digest, but definitely attacks some sacred cows. Credit: The White House