Tag Archive for: SEC

Ransomware gang files SEC complaint against company that refused to negotiate

/in


The BlackCat ransomware gang has begun abusing upcoming US Securities and Exchange Commission (SEC) cyber incident reporting rules to put pressure on organizations that refuse to negotiate ransom payments. The attackers filed an SEC complaint against one victim already, in a move that’s likely to become a common practice once the new regulations go into effect in mid-December.

On Wednesday, cybercriminals behind the BlackCat ransomware, also known as ALPHV, listed MeridianLink, a provider of digital lending solutions to financial institutions, on its data leak website that’s used to publicly name and shame companies the group allegedly compromised. Most ransomware gangs have adopted this double extortion tactic in recent years to force the hand of uncooperating victims by threatening to sell or release data the attackers managed to steal.

In fact, some cybercriminal groups don’t even bother deploying file encrypting malware sometimes and go straight to data leak blackmail. This seems to have been the case with BlackCat and MeridianLink, according to DataBreaches.net who reported speaking with the attackers. The breach reportedly happened on November 7 and only involved data exfiltration.

After an initial contact by someone representing the company, communications went silent, the attackers said. As a result, on November 15 the group listed the organization on their data leak blog but took it one step further: It filed a complaint with the SEC for failure to disclose what the group calls “a significant breach compromising customer data and operational information” using Form 8-K, under Item 1.05.

New SEC rules require reporting of material breaches

The new SEC cybersecurity reporting rules that will go in effect on December 15 require US-listed companies to disclose cybersecurity incidents that impact the company’s financial condition and its operations within four business days after determining such an incident occurred and had a material impact. “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said back in July when the Commission…

Source…

SEC sues SolarWinds for alleged cyber neglect ahead of Russian hack

/in


U.S. regulators sued SolarWinds, a Texas-based technology company whose software was breached in a massive 2020 Russian cyberespionage campaign, for fraud for failing to disclose security deficiencies ahead of the stunning hack.

The company’s top security executive was also named in the complaint filed Oct. 30 by the Securities and Exchange Commission seeking unspecified civil penalties, reimbursement of “ill-gotten gains” and the executive’s removal.

RELATED

Detected in December 2020, the SolarWinds hack penetrated U.S. government agencies including the Justice and Homeland Security departments, and more than 100 private companies and think tanks. It was a rude wake-up call that raised awareness in Washington about the urgency of stepping up efforts to better guard against intrusions.

In the 68-page complaint filed in New York federal court, the SEC says SolarWinds and its then vice president of security, Tim Brown, defrauded investors and customers “through misstatements, omissions and schemes” that concealed both the company’s “poor cybersecurity practices and its heightened — and increasing — cybersecurity risks.”

In a statement, SolarWinds called the SEC charges unfounded and said it is “deeply concerned this action will put our national security at risk.”

Brown performed his responsibilities “with diligence, integrity, and distinction,” his lawyer, Alec Koch, said in a statement. Koch added that “we look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint.” Brown’s current title at SolarWinds is chief information security officer.

‘Repeated red flags’

The SEC’s enforcement division director, Gurbir S. Grewal, said in a statement that SolarWinds and Brown ignored “repeated red flags” for years, painting “a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”

The very month that SolarWinds registered for an initial public offering, October 2018, Brown wrote in an internal presentation that the company’s “current state of security leaves us in a very vulnerable state,” the complaint says.

Among the SEC’s damning…

Source…

SolarWinds Misled Public on Risks Before Hack, SEC Claims (1)

/in


The Securities and Exchange Commission-bsp-bb-link> alleged on Monday that SolarWinds Corp.-bsp-bb-link> defrauded investors by downplaying security risks ahead of a hack of its software that rippled through computer systems across the US government and corporate America.

The SEC also accused the top information security official at SolarWinds, Tim Brown, of breaking securities rules in a lawsuit filed in federal court in Manhattan. The action is the first time the regulator has sued a computer security executive for a cybersecurity-related issue.

The SolarWinds hack was among the worst cyber breaches in history, affecting hundreds of public companies and numerous government agencies. …

Source…

SEC is investigating MOVEit mass-hack, says Progress Software

/in


U.S. securities regulators have opened a probe into the MOVEit mass-hack that has exposed the personal data of at least 64 million people, according to the company that made the affected software.

In a regulatory filing this week, Progress Software confirmed it had received a subpoena from the U.S. Securities and Exchange Commission (SEC) seeking “various documents and information” relating to the MOVEit vulnerability. “The SEC investigation is a fact-finding inquiry, the investigation does not mean that Progress or anyone else has violated federal securities laws,” Progress said, adding that it intends to “cooperate fully” with the investigation.

Progress also said in the filing that it expects to see minimal financial impact from the MOVEit mass-hacks, despite the broad scale of the incident.

The company said it incurred $1 million of costs related to the MOVEit vulnerability, once it had taken into account received and expected insurance payouts of approximately $1.9 million.

However, Progress notes that a loss from this incident remains possible after 23 affected customers launched legal action against the company and “intend to seek indemnification.” Progress said that a further 58 class action lawsuits have been filed by individuals who claim to be affected.

While it’s almost six months on from the discovery of the MOVEit zero-day vulnerability, the exact number of impacted MOVEit Transfer customers remains unknown, though cybersecurity company Emsisoft reports that 2,546 organizations have so far confirmed to be affected, impacting more than 64 million individuals.

New victims continue to come forward. Last week, Sony confirmed that more than 6,000 employees had data accessed in a MOVEit-related incident, and Flagstar Bank said more than 800,000 customer records had been stolen.

November security incident

Progress Software said in the filing that it expects to incur additional costs of $4.2 million related to a separate cybersecurity incident in November 2022.

The filing doesn’t reveal any details about the incident, but John Eddy, a Progress spokesperson representing the company via a third-party agency, confirmed that Progress Software at the time uncovered…

Source…