NewsBites Volume XXV – Issue 36

Top of the News

2023-05-03

Court Rules Insurers Must Pay Merck $1.4B for NotPetya Losses

An appellate court in New Jersey has ruled that insurance companies must pay Merck more than $1.4 billion to cover losses incurred when Merck’s systems became infected with NotPetya malware in 2017. The court rules that the war exclusions the insurance companies were invoking in a bid to deny coverage did not apply in the case of the cyberattack.

Editor's Note

I hate to always be a nattering nabob of negativism about the lack of value delivered by cyberinsurance, but it is important to note that this ruling is based on the particular very large “All Risks” type of policy Merck had, not “vanilla” cyberinsurance. The court stated that type of policy is a “…special type of insurance extending to risks not usually contemplated, and recovery under the policy will generally be allowed…” Also, note that it took 5 years of legal actions to get to this judgement, which may yet be overturned. And this policy had a $150M deductible, in any case. Remember, NotPetya succeeded because the Windows flaw (CVE-2017-0144) that enabled the previous WannaCry attacks had not been patched – it would have cost Merck much less than the deductible, let alone the full incident, to maintain critical patch essential hygiene levels.

John Pescatore

Excellent for Merck, and if you had a similar claim rejected on those grounds you may want to chat with your lawyer. More significantly, expect your cyber insurer to be updating their exclusions. When you get that updated coverage or renewal notice, make sure that you read it carefully, again engage your legal team: you want to be certain what is and is not covered and under which constraints.

Lee Neely

This, in my opinion, is precedent-setting and will force insurers to rethink coverage limitations and cost to provide cyber insurance. I tend to agree with the appellate court finding in upholding the lower court’s decision: it was neither a hostile or warlike action directed at Merck. I would be remiss not to point out that the attack was only successful because Merck failed to patch a vulnerability that was several years old. Cyber insurance shouldn’t be a substitute for an effective patch management program.

Curtis Dukes

The key lesson here is to ensure that you carefully review the terms and conditions, together with any exclusions, in your cybersecurity policies. Make sure that after the review, you are comfortable with what your policy covers and does not cover while remembering cyber insurance is more about covering the financial risk associated with a cyber-attack then managing the cybersecurity risk.

Brian Honan

Google Now Supports Passkeys on All Accounts

Google has rolled out support for passkeys on personal Google Accounts. When users create and use passkeys, they will no longer be prompted to provide passwords or to use two-factor authentication (2FA) when signing in to those accounts. Passkeys are stored on local devices; a user can create passkeys for each device on which they access their Google Accounts. However, anyone with access to and the ability to unlock those devices will have access to the user’s Google Account.

Google Chrome Will Bid Farewell to the Lock Icon

Google has announced that it will remove the padlock icon from Chrome in Chrome 117, which is scheduled to be released this September. The lock icon was introduced in the 1990s to indicate that a site has been loaded over HTTPS. Because HTTPS has become ubiquitous, Google plans to replace it with what it has named the “tune” icon, which “does not imply ‘trustworthy’; is more obviously clickable; and is commonly associated with settings or other controls.” Google’s research showed that many users misunderstood the meaning of the padlock icon: it has never indicated whether or not a site is trustworthy, only that there is a secure connection between the browser and the site. Also, many users were apparently unaware that clicking on the lock icon allowed them to access site permission and security controls. Google will also replace the lock icon in Android, and remove it entirely from iOS as it is not clickable on that platform. Google users will still be alerted when their connections are not secure on all platforms.

The Rest of the Week's News

2023-05-02

An In-Depth Account of What’s Known (So Far) About the Solar Winds Supply Chain Attack

Kim Zetter details what is currently known about the Solar Winds supply chain attack investigation, from the first inklings in 2019 that something was afoot, to investigators unpacking the hackers’ activity, to recent revelations from CISA and the US’s Cyber National Mission Force (at the RSA Conference last month) about their response to the campaign.

Editor's Note

Kim Zetter has a pretty good history of really solid books on this topic. I suspect this article will be well worth the read.

Moses Frost

This is a good read. You may find yourself wincing at mistakes made which could have easily been made by your team. I'm thinking it's a good time to review some SOPs to double check your own shop, to include making sure that the relationship with law enforcement won't go unexpectedly quiet as they have a hot lead or otherwise sensitive area. Understand the impacts on a case when details are leaked or published during sensitive intervals; find out how you can still get a status update without being ghosted.

Lee Neely

Former Uber CSO Joe Sullivan Receives Probation for Breach Cover-up

Former Uber CSO Joe Sullivan was sentenced to three years of probation for his role in covering up a data breach that compromised the personal information of 50 million individuals while the company was being investigated by the US Federal Trade Commission over a previous breach. In October, 2022, Sullivan was convicted of obstruction of justice and hiding a felony.

Colorado Eases Path for Municipal Broadband

On Monday, May 1, Colorado Governor Jared Polis signed a bill eliminating the requirement that towns and cities get voter approval prior to offering cable television or telecommunications services. The bill “gives local governments the authority to provide broadband service, either on their own or by partnering with industry service providers, without holding a local election.”

Apple and Google are Developing Spec for Detecting Unwanted Location Trackers

Apple and Google have “jointly submitted a proposed industry specification to help combat the misuse of Bluetooth location-tracking devices for unwanted tracking.” The draft specification “outlines technical best practices for location tracker manufacturers, which will allow for their compatibility with unwanted tracking detection and alerting technology on platforms.”

Microsoft Fixes Azure API Management Service Flaws Found by Ermetic Researchers

Researchers from Ermetic detected three high-severity vulnerabilities in the Azure API Management service: two server-side request forgery flaws and a file upload path traversal on an internal Azure workload. Microsoft has fixed all three vulnerabilities.

CISA Publishes ICS Advisory for Mitsubishi Electric Factory Automation Products

The US Cybersecurity and Infrastructure Security Agency has published an Industrial Control System, (ICS) Advisory earning of multiple vulnerabilities in Mitsubishi Electric Factory Automation products. The vulnerabilities, all of which are dependencies on vulnerable third-party components, involve flaws in Intel products, and could be exploited to create denial-of-service conditions in Mitsubishi Electric MELIPC, MELSEC iQ-R, and MELSEC Q Series products.

CISA Adds Three Vulnerabilities to KEV Catalog

On Monday, May 1, the US Cybersecurity and Infrastructure Security Agency (CISA) added three security issues to its Known Exploited Vulnerabilities (KEV) Catalog: a command injection vulnerability in TP-Link Archer AX-21; a deserialization of untrusted data vulnerability in Apache Log4j2; and an unspecified vulnerability in Oracle WebLogic Server. Federal Civilian Executive Branch (FCEB) agencies have until May 22 to mitigate these vulnerabilities.

City of Dallas, TX, Hit with Ransomware Attack

Earlier this week, the city of Dallas, Texas, became the victim of a ransomware attack. The incident affected the city’s police department and city hall websites, and the city’s municipal court cancelled some jury trials. While 911 calls do not seem to be affected, the dispatch system that helps firefighters respond to those calls is affected. Dallas Fire-rescue has been operating on manual dispatch since the attack.