This month, the cybersecurity research firm Volexity found a series of four critical security vulnerabilities in Microsoft’s Exchange Server software.  Since then, vulnerability has been independently verified and confirmed by Microsoft.  It is believed to have been used by foreign-state threat actors for an unknown period of time, extending at least to January, 2021.  Exchange acts as the back-end software that handles email for the vast majority of large organizations; Outlook connects to Exchange to display email for user accounts.

While the vulnerability does not affect customers running Microsoft’s Exchange Online service exclusively, most organizations in the US are running some form of Internet-facing Microsoft Outlook Web Access (OWA) for their email systems in tandem with Exchange servers.

Companies that use Microsoft Exchange Server for email messaging in any version should take immediate steps to address the situation.  Office 365 is not affected, but companies with physical Exchange servers combined with Office 365 would still be vulnerable.  The vulnerability effects every version of Microsoft Exchange Server from 2010 through 2016.  The exploited vulnerability and potential back door allows a remote attacker full access and control of the organization’s Exchange server, including all the data residing on it—emails, attachments, contacts, notes, tasks, calendar items, etc.  Attackers using the vulnerability can also identify a mailbox by user name and view or copy the entire mailbox contents.

The seriousness of the issue is difficult to understate.  Using the exploit, intruders are able to leave behind one or more “web shell,” scripts for future use.  A web shell is an easily-operated, password-protected hacking tool that can be accessed from any browser over the Internet; they are also commonly used for legitimate functions, and thus difficult to identify as malware by file type alone.
Continue Reading Organizations Using Microsoft Exchange Mail Server Face Severe Cybersecurity Threat

Seyfarth Synopsis:  The attorney-client privilege is a bedrock legal principle that protects a client from providing a court or adversary with confidential communications exchanged in the course of providing or receiving legal advice with an attorney.  Cybersecurity data breach, often accompanied by ransom/extortion demands and threats of publication of sensitive information, diminish the attorney-client privilege protection and raise ethical issues as to an attorney’s duty in protecting the privilege from being waived. 
Continue Reading Ransomware with Data Exfiltration and Threatened Leak Extortion

A nationwide fraudulent unemployment benefits cyber scam has been making headlines for many months now and still continues to threaten employers and countless individuals throughout the United States.   Threat actors continue to exploit overwhelmed governmental agencies and are filing claims for benefits using the personal information of people who have not lost their jobs.  The false claims have been estimated in the hundreds of millions of dollars of fraudulent unemployment claims being paid to threat actors.  This fraud is a sharp reminder that sensitive personal information in the wrong hands can result in tremendous harm.  Employers should remain vigilant and alert their workforce, promptly challenge fraudulent claims, and check cyber-security practices and policies to help protect against this and other cyber threats.

It is estimated that nearly 53 million unemployment claims were filed during the few months of the coronavirus pandemic and the threat has continued into 2021.  Many state agencies, already understaffed and functioning with older technology and fraud detention protocols, were not prepared for the onslaught and have become tremendously overwhelmed.  The resulting delays and chaos in processing so many unemployment claims in such a short time has set the perfect stage for threat actors to take advantage.

Under normal circumstances, when the unemployment claim is filed, the agency will send  timely notice to the employer to provide the opportunity to protest the claim.  Typically the employer has ten days to protest.  However, during the pandemic, unemployment offices across the country have struggled to get the notices out to employers – taking months rather than days.  Consequently, employers are receiving the protest notices after the time has expired to protest the claim.  Most people learn they are affected when they get a notice from the state unemployment benefits office about their supposed application for benefits.  By then, however, the benefits usually have been paid to an account the criminals control.  Further, it is not clear given the magnitude of claims and impact on individuals whether in some instances agencies are paying even before they send the protest notice.
Continue Reading COVID-19 Unemployment Benefits Scams Continue Well Into the Pandemic

In response to the COVID-19 crisis, nearly all companies and organizations were abruptly forced to transition portions of, and in many cases, their entire workforce to remote work.  After a few weeks, it seems that many companies have adjusted to this “new normal” and settled in, albeit with some lingering technical and connectivity issues.  As companies raced to get their employees up and running remotely, it is likely many were primarily focused on connectivity and security, while necessarily ignoring the complex privacy, security, compliance, and document preservation challenges lurking below the surface of the “new norm.”

Companies will begin to realize that transitioning to a remote workforce can lead to unintended consequences that can and should now be addressed. Some of these unintended consequences include:

  1. Information Technology (“IT”) departments deploying software and systems such as Microsoft Teams, Slack, etc that have not yet been properly tested, including establishing retention periods, back-up procedures, and acceptable use policies.
  2. “Shadow IT” issues relating to employees using whatever services and products they think will help them do their remote job better, even when those products or services are not vetted by, supported by, or welcomed by corporate IT.
  3. Informal communications using messaging tools or social media platforms that are either not preserved subject to an active litigation hold notice, or that violate company policy, or frame the company in a negative light.
  4. Remote employee use of unauthorized external or cloud-based storage for company data.
  5. Information subject to a litigation hold notice being lost due to the inadequate back-up of laptops and other systems being used off-premises.
  6. Recycling of laptops, desktops, and mobile devices subject to a litigation hold notice in order to ensure rapid deployment of remote workforce.
  7. Employees using personal devices to store information and communications that are or could become subject to a litigation hold notice.
  8. Risking breach of confidential, sensitive, or personally identifying information (“PII”) due to lack of adequate remote security.
  9. Employees using unauthorized, unsecured, commercial collaboration tools.
  10. Employees using unsecured endpoints or endpoints with consumer-grade antivirus or antimalware.
  11. Employees operating off-network such that corporate firewalls for phishing and network intrusion are not engaged.
  12. Terminated employees subject to a litigation hold notice.


Continue Reading COVID-19 Remote Workforce Risks – Preservation, Compliance, Privacy, and Data Security Risks

This month, the Federal Bureau of Investigation published information and guidance for organizations about ransomware attacks, along with some suggested preventative measures.  There is a section in the bulletin discussing whether victims should consider paying ransom to attackers.  According to the statement, the FBI “does not advocate paying a ransom, in part because it does not guarantee and organization will regain access to its data,” and paying ransoms emboldens criminals to target others.

Several of the suggested “best practices” are somewhat generalized, such as increased employee awareness about how ransomware is delivered, and basic security techniques (we would recommend adding anti-phishing training and tests to the list).  However, several others are more specific.  All of the measures listed should be considered as parts of a comprehensive standard information security program.

Among the list of the FBI’s “Cyber Defense Best Practices” recommended are:
Continue Reading FBI Public Service Announcement on Ransomware

Every day all over the world, companies fall victim to cybersecurity attacks.  It’s nearly a constant these days.  Many of these attacks are preventable with the right amount of attention to detail in system setup and hardening.  The three common themes in postmortem examination of all of these attacks boil down to 1) human error; 2) configuration error; 3) failing to proactively defend.  In this series of six posts, we will dive into each attack’s anatomy, the attack vector, and the ways companies can attempt to avoid being victim to them.  In the last post, guest bloggers from G2 Insurance will walk through how insurance companies react to claims, what to watch out for in your policies, and appropriate coverage levels for cyber insurance based on their experience handling claims.

#1  Email Spoofing and Wire Fraud

This attack is essentially a wire instruction interception/redirection or wholly fake request for a transfer.  This is an event that comes up daily or at least weekly in any cybersecurity professional’s world.  This attack typically plays out with a threat actor masquerading as a legitimate authority within a company, typically someone in the C-suite or Director level.  To make it successful, the recipient of the wire transfer request has to believe it’s legitimately originating from one of those authoritative people.

One way attackers do this is using actual stolen credentials.  Despite the flood of data security breaches and database hacks, people unfortunately still use weak passwords and also re-use passwords.  We have seen dozens of instances of successful credential attacks where the attacker used publicly available database leak information to gain unauthorized access to corporate accounts.  The approach goes like this: an attacker harvests information regarding corporate leadership from various data sources about companies (LinkedIn, Dunn & Bradstreet, Bloomberg, Google Finance) and chooses a few people to target.  They then cross-reference those names to leaked credential databases, often times hosted on Darkweb sites, IRC chat rooms, or other forums dedicated to hacking.  If the attacker is able to find other accounts belonging to their targets that have been compromised and have a password, they can try that password, and tens of thousands of variations of it, to attack the corporate account of their victim.


Continue Reading Top Five Most Common Cybersecurity Attacks and How to Prevent Them – Part 1: Email Spoofing and Wire Fraud

November 16, 2018 – President Donald Trump signed the Cybersecurity and Infrastructure Security Agency Act of 2018, which establishes the Cybersecurity and Infrastructure Security Agency (“CISA”) at the Department of Homeland Security (DHS).  The law reorganizes DHS’ National Protection and Programs Directorate (NPPD) into an agency that will focus on cybersecurity threats.

With its promotion

This morning, the European Commission released a Proposal for a Regulation addressing the EU’s cybersecurity industry as part of its next step towards a Digital Single Market, which is the EU’s strategy to ensure fair competition, consumer and data protection, and removal of copyright and geo-blocking issues for individuals participating in online activities and

Seyfarth Shaw Partner Jordan Vick is on the panel for the “Playing by the Rules: Rule Changes Essential to Your Practice” session on Friday, November 16, at Georgetown Law’s 15th annual Advanced eDiscovery Institute in Washington, D.C.

Session topics include:

  • The 2015 Amendments to the FRCP and their actual impacts on practitioners, including unintended consequence

At the end of June, the California legislature passed its Bill 375, the California Consumer Privacy Act of 2018.  The Act contains a number of concepts that would be familiar to those who are working to bring their companies and organizations into compliance with GDPR.  The new law defines a category of “Personal Information” that radically departs from a traditional definition of Personal Data commonly found in various State Data Privacy Laws, which usually ties an individual name to other identifiers like social security number, account number, or other factors.  Instead, the California Act defines “Personal Information” as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.  It does not, mercifully, include publicly available information, but it still comes closer to a GDPR-like definition of “personal data” than any other US law.

The Act provides California residents some rights that also appear familiar.  For example:

  • Consumers can request a copy of all the Personal Information a business has collected;
  • Consumers have the right to request that the business delete their Personal Information (subject to some exceptions), and a right to direct a company to not share their Personal Information with third parties; and
  • Consumers can request that a business disclose the categories of information it has collected, the sources of information, the purpose for the collection and/or its sale of the information, and the third parties with whom the information is shared.


Continue Reading California’s Consumer Privacy Act of 2018 – Get Ready for New GDPR Style Requirements in the US