Merck, Insurers Reach NotPetya Settlement; FBI Sending More Cyber Agents to US Embassies

Make sure you’re current on what your cyber insurance will and will not cover, and adjust accordingly. Before you let your legal team convinces you they can get the desired outcome regardless of the Insurance Company’s position, consider that Merck’s been working this settlement since 2017 and you may not be able to survive that long waiting on remuneration.

We now have case law on what is or isn’t considered ‘acts of war’ when it comes to cyber events. Next up will be determining the legal definition of 'nation-state-backed cyberattacks' and how they affect insurance coverage. One can expect that the insurance industry will further refine exclusion policies, as well as increase the cost of coverage because of the settlement.

Part of this is to address recent international takedown efforts which haven’t been resulting in arrests. Another part is to increase staff in place to respond to the increased need for cooperation on tracking and taking down international cyber gangs. Local resources, with corresponding connections, context and presence, should help increase the effect of these efforts as they are typically far more effective than working from afar.

Cybercrime is an international issue and has been for several decades. In many ways, international cooperation is built on close, personal relationships. This placement creates that synergy to be effective in fighting cybercrime.

Although the company has informed regulators and law enforcement, they have yet to declare it had a material impact. It’s hard to believe that a ‘cybersecurity incident’ that bears all the trademarks of a ransomware attack wouldn’t have a material impact on the company. This will be a good test drive of the newly established SEC cybersecurity rules.

LoanDepot is a non-traditional bank or non-bank which services about $140 billion in loans with about 6,000 employees; the impact could be quite large. If you’re a LoanDepot customer, given the sensitivity of your data associated with that loan, you may want to subscriber to credit/identity monitoring and restoration services just to get the ball rolling.

This appears to be a case of erring on the safe side. LoanDepot was timely in disclosing the breach, which was detected over the weekend. Notification to the SEC was within four days. However, there is no mention in the reports of a determination by LoanDepot of materiality."While we do need experience with the rule, this case may not be helpful.

The breach occurred between February 28 and March 13, 2023, and attackers had access to Orrick’s client data storage file servers. They have taken steps to raise the bar and prevent recurrence. While Orrick has not detected any misuse of the breached information, they have settled four class-action lawsuits related to this breach.

Legal firms are frequently targeted as they host client data of interest to cyber criminals and more likely to pay a ransom should they become a victim.

Apache OFBiz is a component used in other software, like for example in JIRA. The flaw is particularly unfortunate as it was meant to be patched a while ago, but OFBiz developers did not understand the full impact of the flaw and only created a partial fix for the underlying authentication bypass.

CVE-2023-51467, authentication-bypass, carries a CVSS score of 9.8 and is being actively targeted. OFBiz is an open source ERP framework that includes business automation capabilities. The fix invokes better input validation checks when the field is empty, and the update appears pretty simple/low risk.

Kudos to SonicWall for researching the original vulnerability and determining root cause. Given that Apache’s software framework is used by many e-commerce sites, prioritize the vulnerability, and immediately update to the newer version of OFBiz.

The SQL injection flaw can be used to discover secrets used to manage devices connected to a particular Ivanti instance. These secrets can then be used to execute code not just on the Ivanti instance but on any device connected to it.

CVE-2023-39336 has a CVSS rating of 9.6 and has a low difficulty level of exploit. Ivanti claims attackers need internal network access for exploitation, but with the numbers of telecommuters, it’s tricky to assess what’s protected by a corporate firewall or otherwise. The best bet is to deploy the update, setting Internal/External aside. Make sure you’re applying EPM 2022 Service Update 5, 2021.1 Service Update 5 doesn’t include the fix.