Each month through 2021, The Morning Breach is going to tackle topics to help businesses better protect themselves against cyber criminals.  The first thing that needs done with any changes to a cybersecurity plan is proper and updated documentation, so it makes sense that throughout January we focus on the policies and procedures that every business should be documenting.  Not only will we talk about them, but you will be able to find samples of them available at themorningbreach.com for you to download, edit for your organization, and implement.  If you don’t take the time to properly build this documentation, then you have no way to gauge how secure your data actually is.

The Data Security Vendor Checklist isn’t a policy but it’s critical document that you should have on file for every vendor that has access too or stores your data.  You need to understand how these third parties treat your data and the access you are trusting them with.  Simply look at the Blackbaud breach in 2020 as an strong enough example.

So who should you have complete this form?  Managed service providers or your IT vendor, printing companies, line of business applications, and any vendors that are used to monitor, manage, and protect your networks.

You want to start with building a technology org chart, list what vendors and applications you use and what you use it for.  If they connect to your network, access your data, or store your data in the cloud – that should be your starting point.

As you receive these you want to want to understand if they are collecting any PII related data as that can trigger a completely different set of breach notifications.  How the data is collected, how it’s stored, encryption methods, the vendors compliance frameworks and certifications, and a policy review should be completed.  SOC2 certifications review these policies, so you should be ok if they provide you the SOC2 final audit report.

Before you ask yes, over the next four weeks we will be working on creating those same policies you are requesting from your vendors, because you should have them on file as well. 

If you are contracting with a managed services provider or IT vendor, get them involved in the process as they can likely speed up the process with the vendors, but you want to want to have them list the applications and services which are deployed to protect your network and data.  They should have vetted their vendors already, and if you trust them to deploy the tool on your network then you should trust their judgement on why the tool is needed.  If you are in healthcare, finance, or government ask to review the security documentation for those vendors, but be prepared to sign NDAs as most vendors will require it to protect their own security stack.

If you have any questions, let us know via This email address is being protected from spambots. You need JavaScript enabled to view it.

The year 2020 will be in the history books for many reasons and the growth and success of cybercrimes should be one of them.  The year saw some of the largest data breaches ever recorded, some that the full scope is not yet known, and there are likely thousands if not millions more that went unreported. 

The year started with a Microsoft database sitting completely open with no authentication which exposed roughly 250 million.  Databases and online data storage proved to be easy targets for cyber-criminals as similar attacks also hit UK-based security company Elasticsearch (050520), the 16^th largest bank in the world Santander (050820), App Developer Firebase (051820), San Francisco Employees Retirement System (060820), Cybersecurity firm Keepnet Labs (060920), Travel sites like Booking.com, Expedia, Hotels.com and others (111020), and there were many more both big and small.

Police departments were targets across the globe as BlueLeaks reported a breach of 24 years of history from police departments across the United States.  It wasn’t just law enforcement but government agencies from local municipalities, counties, state agencies, federal agencies, and reported data breaches.  It is safe to say there was at least one government level cyber-attack in each of the 50 US states.

Universal Health Services, one of the largest healthcare providers and hospital chains in the United States had staff keeping records with pen and paper and rerouted hospitals.  The healthcare industry has always been a high risk due to the amount of data that is often collected.  BJC Healthcare, UPMC Altoona, Doctors Community Medical Center (050620), Babylon Healthcare Services (061102), even the genealogy site GEDMatch (81320), and again this is just a small sample of the reported cyber-attacks against health services through 2020. 

The biggest two stories which are still being uncovered are the cyber attacks on Blackbaud and Solarwinds. Both provided entry points via their application or service into their clients data, and it will likely be a year or more from now until we fully understand the full scope of the attacks. 

Blackbaud’s software was connected to over 170 data breach reports and was a sophisticated cyber-attack from May of 2020 via a ransomware attack.  Blackbaud produces cloud-based fundraising, marketing, and customer relationship management solutions for educational, non-profits, healthcare providers, and more globally.

Solarwinds is the latest breach that still has people talking, here the Orion platform which is embedded in several Solarwinds products had it’s source code breached and code added to allow the cyber criminals behind the attack access to the end customers.  The late 2020 cyber-attack, affected government agencies globally including the US Treasury, Homeland Security, Department of State and many others.

Some 250 government agencies and businesses may have been affected by the breach, including the latest report from Microsoft that the cyber criminals were able to view source code in several source code repositories, but the access was read only.

Closing out 2020 there were attacks on Lake Regional Healthcare, Whirlpool Corporation, City of Cornelia Georgia, Carnival cruise line subsidiaries Aida Cruises and Costa Crociere, IndiGo, and even another T-Mobile Data Breach, it’s fourth in the last 3 years.. 

As 2020 comes to an end, the promising note is more companies are asking questions about CyberSecurity and how they should protect themselves.

Israeli Cyber Experts with Guardicore Labs, uncover a massive attack on 85,000 MySQL servers by an anonymous group of hackers.  The attack, called PLEASE_READ_ME has resulted in at least 250,000 stolen databases being compromised and the contents being posted for sale on the dark web.  If you’re utilizing MySQL servers you may want to ensure its security and backups are current.

The United States Supreme Court has agreed to hear the case TransUnion LLC vs Sergio L Ramirez, which looks to answer whether Article III or Rule 23 permits a damages class action where the vast majority of the class suffered no actual injury, let alone an injury anything like what the class representative suffered.  This case has a large potential impact for data-breach litigation moving forward.  In this case Trans Union argues that several of the proposed class members did not have legal standing to assert a claim because errors within their credit score were never sent to a third party or they were never denied credit or another injury due to the error.

The long term effect here is because in many data-breach class actions, the named plaintiff will allege personal fraud as a result of the breach but will seek to represent a large class of individuals, many of whom may not have suffered the fraud themselves 

A decision from the Supreme Court is expected by June of 2021, so we will wait and see.

The U.S. Treasury Department announced a serious breach that began in July and the full depth is still unknown.  Microsoft told the Treasury that dozens of email accounts were compromised within the Treasury’s Departmental Offices Unit, which contains the highest-ranking officials.  Although this is commonly being discussed with the SolarWinds cyber-attack, this is likely a separate attack and was likely caused through a phishing campaign which provided credentials and allowed the cyber criminals access to mailboxes.

This is why it’s critical to monitor e-mail forwarding rules and establish MFA on your systems, it is not known what if any security measures were in place when this attack occurred.

The full extent of the SolarWinds Cyber-attack is still unknown but more pieces of the puzzle are coming together.  Big tech companies including Intel, Microsoft, Nvidia, and Cisco were all infected by the attack on SolarWinds Orion platform.  Exacerbating the issue is that investigators have found potentially another hacking group had broken into SolarWinds using a similar exploit, which is being dubbed Supernova.

CISA has updated it’s alert last week that this advanced persistent threat actor begin in at least march of 2020 and has demonstrated patience, operational security, and complex tradecraft in these intrusions.  It is expected that removing this threat actor from compromised environments will be highly complex and challenging for organizations.  This latest alert does not supersede the requirements of emergency directive 21-01 which ordered affected devices to be disconnected.

There is a lot of conversation pointing to Russian or Chinese influence behind the cyber-attack, but I still believe it is too soon and I have not seen hard evidence that indicates security researchers have identified with certainly who is actually behind or organized the attack.

A recent poll of IT vendors has found that 80% of their clients are wanting to leave Solarwinds.  What is important to note is not all SolarWinds products are not impacted by the Orion platform.  I can understand the desire to want to leave a platform that is in the news, but we will learn more about a vendor during and after an attack then you will learn about other products.  I believe that SolarWinds is going to be more closely examined and analyzed than any other vendor for the foreseeable future, which is only good for the overall security of all of their products.

To be clear I am not implying that Solarwinds is out of the woods, and it’s critical for us all to stay up to date on security concerns for all of the products that are used within your business.

As a business owner or a cyber security professional this should be a catalyst to rethink your cybersecurity position.  Congress and the president-elect are promising to make 2021 a cybersecurity a top priority at every level of government.  States and local governments need to follow that guidance, and businesses should as well.

The system is broken, and most lawmakers don’t even know what questions to ask.  This can lead to impulsive laws that may be good intentioned but will provide little to no relief to the attacks that are facing networks and data across the globe.

It is critical that we all take some time and review our technology policies, procedures, services, and vendors that are used.

Cybersecurity concerns with the Internet of Things has achieved a milestone with the signing of the IoT CyberSecurity Improvement Act, or H.R. 1668, on December 4, 2020.   The act requires the development, adoption and implementation of security standards for IoT devices by the federal government.  While this is the first federal law targeting IoT device cybersecurity, a California law took effect on January 1, 2020 and the UK has IoT cyberseucirty regulatory efforts underway. 

The IoT devices covered under the Act include any physical object that is capable of being in regular connection with the Internet or a network that is connected to the Internet, and that has computer processing capabilities of collecting, sending, or receiving data.  This will likely cause a delay in product releases as vendors now have to consider security before rushing products to market.

In the end this is a good thing as IoT devices are everywhere and many have little to no security at all.

Intelligence from the SolarWinds Cyberattack, which is being called Sunburst, continues to come to light as security professionals around the globe are trying to understand what happened and what the risk is to them and their clients.  With many of the answers likely to take months or longer to fully understand the scope of the attack here.

Reuters talked to the security researcher Vinoth Kumar whom reportedly alerted SolarWinds back in 2019 that anyone could access the company’s update server using the password ‘solarwinds123’, adding that this could have been done by any attacker.

Yesterday, Solarwinds released the hot fix 2020.2.1 HF2, and is encouraging all users to update as soon as possible, this was after multiple sources indicated that the initial hot fix still had code embedded for the attack.  This hot fix is for the Orion Platform, which is embedded in 18 products offered by Solarwinds.

As part of reverse engineering, researchers identified that the domain AVSVMCLOUD.com was being utilized as a control server for the attack.  Here the malware sits dormant for 12 to 14 days before calling the domain, so it may take some time to discover who is affected. FireEye found that the malware would terminate itself and prevent further execution when the IP addresses for AVSVMCLOUD.com returned some conditions, including Microsoft’s IP addresses, which is believed to be designed to prevent Microsoft from examining the malware.

Microsoft and other industry partners have seized the domain name and have begun the technique known as sinkholing to build a list and notify the victims. 

Since Sunday, the number of confirmed victims has grown and now includes:

• Cybersecurity firm FireEye
• US Treasury Department
• US Department of Commerce’s National Telecommunications and Information Administration
• Department of Health’s National Institutes of Health
• Cybersecurity and Infrastructure Agency
• Department of Homeland Security
• US Department of State

It should also be noted that in a lot of cases the cyber criminals behind this attack acted quickly and likely established persistent mechanisms to access a victim’s network beyond the Sunburst backdoor.  Microsoft has started to block the known malicious binaries already.

I would expect more information coming to light over the upcoming days and weeks, as with any cyber-attack of this magnitude there are multiple people investigating and digging into the malware.

As far as your environment goes, you should have a service that logs website traffic and you can likely use that to search for the domain AVSVMCLOUD.com, and if you get any hits then you can assume you are a victim of the Sunburst malware.

From there you want to begin your investigation and identify your risk.

September 8, 2020 – The Morning Breach has announced its commitment to National Cybersecurity Awareness Month (NCSAM), by signing up as a Champion and joining a global effort promote the awareness of online safety and data privacy.  Throughout October, The Morning Breach will be producing special episodes in addition to the already created Tuesday and Thursday episodes highlighting the weekly themes.

This year the theme of Cybersecurity month is “Do Your Part.  #BeCyberSmart” and is broken out in weekly focus areas including:

• Week 1: If you Connect It, Protect IT
• Week 2: Securing Devices at Home and Work
• Week 3: Securing Internet-Connected Devices in Healthcare
• Week 4: The Future of Connected Devices

In its 17^th year, Cybersecurity Awareness Month continues to grow with the goal of providing everyone with the information they need to stay safe and secure online.  The Morning Breach was created to help technology professionals and business owners stay educated with the current threats, tips to protect their data, and trying to make sense on consumer rights and compliance requirements around the globe.

For more information about National Cybersecurity Awareness Month and how to participate visit staysafeonline.org/cybersecurity-awareness-month/.  You can also follow and use the official hashtag #BeCyberSmart on social media throughout October.

Cyber-Security is critical to the success of all organizations. If you are interested in learning more about The Morning Breach’s commitment to Cybersecurity month, please reach out to This email address is being protected from spambots. You need JavaScript enabled to view it..