Hackers Weaponize SEC Disclosure Rules Against Corporate Targets

  /     /     /  
Publicated : 23/11/2024   Category : security


Hackers Weaponize SEC Disclosure Rules Against Corporate Targets


Ransomware group BlackCat/ALPHV files SEC complaint against its latest victim, putting an audacious new twist on cyber extortion tactics.



The ransomware group ALPHV (aka BlackCat) has filed a formal complaint with the US Securities and Exchange Commission (SEC), alleging that a recent victim failed to comply with new disclosure regulations.
An ALPHV insider
told databreaches.net
that, on Nov. 7, the group successfully attacked the digital lending service provider MeridianLink, exfiltrating without encrypting its files. Thereafter, aside from one interaction,
the prolific threat actor
failed to engage the company in negotiations over the stolen data.
ALPHV posted that data to its leak site on Wednesday. It also tried out an unprecedented extra extortion tactic, filing a report about its own crime to the SEC, claiming that its victim failed to follow
new SEC guidelines
for how soon companies have to publicly disclose their breaches.
This is yet another warning to security leaders, who must recognize that disclosure decisions and plans are no longer solely guided by security best practices; federal legal liabilities also play an important role, says Patrick Tiquet, vice president of security and architecture at Keeper Security.
On July 26,
the SEC announced new cyber rules
for public companies. One standout was a requirement that companies disclose any cybersecurity incident they determine to be material, along with a description of the material aspects of the incidents nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. Such a submission will generally be due four business days after a registrant determines that a cybersecurity incident is material.
When four days passed with no word from MeridianLink, ALPHV submitted information about the breach through the SECs official website:
We want to bring to your attention a concerning issue regarding MeridianLinks compliance with the recently adopted cybersecurity incident disclosure rules, the group wrote. It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.
The source provided databreaches.net with a screenshot of the form, and the automated receipt confirming submission.
Putting aside the sheer audacity of the move, ALPHV may be out of luck with the SEC for two reasons.
For one thing, in
a statement provided to BleepingComputer
on Wednesday, MeridianLink stated that it wasnt yet sure if any consumer personal information was compromised, adding that based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption. Exactly what data ALPHV stole and published may affect whether the breach is material, per SEC language.
Second, as noted in
its original press release
, the new SEC disclosure rule only takes effect on Dec. 18. (Smaller companies will have even more leeway, with an extra 180 days before they have to get on board).
Future victims of similar attacks will have fewer breaks to count on.
Using the threat of filing a failure to report complaint against its own victim to the SEC is a compelling tactic that could weaponize a government regulation for a cybercriminal groups benefit, Tiquet warns. Disciplinary action from the SEC is not to be taken lightly and fines can be very steep.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Hackers Weaponize SEC Disclosure Rules Against Corporate Targets