Cyber Security Today, Week in Review for Friday May 13, 2022

Welcome to Cyber Security Today. From Toronto, this is the Week in Review edition for Friday May 13th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.

In a few minutes Terry Cutler, head of Montreal’s Cyology Labs, will join me for a discussion about three recent news stories. But first a look back at some of what happened in the past seven days:

Yesterday was Anti-Ransomware Day. Everybody’s against ransomware, but what can IT leaders do about it? Terry will have some answers.

Speaking of ransomware, we’ll have a few words to say about a proposal to fine Colonial Pipeline after last year’s ransomware attack in the U.S. Why? Because the company’s incident response plan allegedly wasn’t thorough.

And we’ll also look at the acknowledgment by Ikea Canada that an employee searched through the company’s customer database in March without permission.

Also this week, the director of cybersecurity at the National Security Agency told a British cyber event that the number of ransomware attacks worldwide has gone down in recent months. He suspects it’s because economic sanctions against Russia over its invasion of Ukraine are making it harder for Russian-based criminals to organize attacks and receive ransomware payments.

Separately, researchers at Secureworks have joined other experts saying that after an interruption in operations there’s more evidence the REvil ransomware gang is back in business.

Security researchers urged network administrators to patch their F5 Network BIG-IP security devices to close a serious vulnerability.

The province of Quebec launched a bug bounty program, which will reward researchers who find vulnerabilities in select government applications.

HP released a security update for the BIOS in a number of business notebooks, desktop PCs, point of sale PCs, workstations and thin clients. The updates stop an attacker with kernel-level privileges from getting full control over affected computers.

Microsoft released its security updates for Windows on Patch Tuesday this week. But some that are installed on domain controller servers are causing authentication failures. Microsoft will have to issue a fix for the fix.

And Siemens released advisories on vulnerabilities in a number of products, including several of its Desigo internet-connected building automation devices.

(The following transcript has been edited for clarity)

Howard: From Montreal, I’m joined by Terry Cutler. Good afternoon.

Let’s start with Anti-Ransomware Day. This began in 2020 as an education initiative by Kaspersky and the Interpol police co-operative. It was sparked by the global spread three years earlier of the WannaCry strain of ransomware. A lot has changed in ransonware since then: Gangs are now targeting companies and governments instead of home computers, gangs are running double extortion strategies by first stealing and then encrypting data to put extra pressure on victim firms, they’re running live hands-on attacks and they’re finding better ways of evading IT defenses.

This week firewall manufacturer SonicWall estimated that there were 623,000 ransomware attempts last year on its customers alone. Terry, we’ve talked a lot about ransomware before. Is there anything new about what IT leaders should be doing to lower the risk of being victimized by ransomware?

Terry Cutler: Ransomware has come a long way. I remember seeing a hands-on attack happening at one of our new clients where they had software running on one of their computers called OTR, which stands for Off The Record. Attackers were logging into the system and they were working with the victim company’s tech support to launch commands and map drives into the system and then launch ransomware attacks manually. It’s very scary to know that there’s an actual hands-on attacker in your environment and not just some automated script. And what we’re seeing is that a lot of customers are still having a hard time with their patch management, especially around this one patch called the MS-17010 vulnerability which is known also as EternalBlue. This is the one that caused the WannaCry infection. And it’s very difficult sometimes to phase that out because you want to turn off SMB [Windows Server Message Block] version 1 and sometimes there’s some old systems that still rely on it. So it’s not very easy to just turn it off. Whenever we do a penetration test we love to get our hands on that exploit if it’s available. So when we do our vulnerability assessment on a client’s system and we see machines that are missing that patch, once we’ve exploited it we have full control over that system. We actually get system-level access where we can pull out all of the usernames and passwords, and also possibly decrypt their passwords if they’re weak and we can also do a pass-the-hash attack, where we take hashed information and pass it off to another server and log in as an administrator or as system-level service without ever knowing the password. So it’s very important organizations run at least a vulnerability assessment … The problem right now is IT is not doing a great job with patch management.

Howard: And and just a reminder to our listeners. You’re talking about the EternalBlue Windows vulnerability that was patched four years ago — and you’re saying there are companies that are still running servers that haven’t installed that patch.

Cyber Security Today, Week in Review for Friday May 13, 2022

Terry: Yeah. Sometimes IT doesn’t always use automatic updates so they have to manually download and apply that patch. But a lot of times they don’t even realize that it’s a vulnerability because a lot of times they’re hiring IT guys that are not familiar with cybersecurity and the vulnerabilities that exist out there. They’re just doing break-fix jobs.

Howard: Talking about how ransomware gangs are able to exploit companies, I was listening yesterday to a webinar by Info-tech Research about ransomware, and they got a question from one of their clients wondering how hackers seem to know who of their failing phishing tests … Apparently this company was hacked and the victim employee was someone who was regularly failing tests and the hackers knew about it and they targeted this particular guy. It seems to me that that that’s evidence that shows that hackers are in a system long enough that they’re reading people’s email and they’re finding out things about employees and they’re finding out which employees are most susceptible to phishing.

Terry: Wouldn’t it be funny if it was actually the hackers that were testing the employees to see who would fail their tests? The thing is most hackers are in your system for about six to 18 months prior to being detected. They’re able to get access to bank change forms so they can send a message like, ‘Don’t wire the money here wired to another bank account’ (which the hackers control).

Howard: Kaspersky this week issued an update on recent ransomware trends, one of which is that gangs are making their ransomware able to run not only on Windows but also on Linux systems as well. That’s quite a threat to many companies because Linux is widely used, especially on web servers.

Terry: Folks have to lose the perception that Linux and Macs are unhackable. There are definitely exploits that are coming out right now that can have a similar impact to Windows environments. Take for example REvil and Darkside gangs. They’re able to create a version of ransomware that runs natively on Linux. So it’s very important the cybersecurity folks and IT guys have a consensus that security is platform agnostic — and we need to realize that as quickly as possible. We always have to make sure our patches are up to date. Stay connected to [cyberseurity] forums because the last thing you want to do is get ransomed and realize that this [exploit] was public knowledge — like with EternalBlue. When protecting Linux servers make sure you implement things like the 3-2-1 backup strategy where you got to make sure you have three copies data, two of them could be onsite and one of them has to be offsite and accessible only in case of a disaster. And make sure you’re running technology like EDR [endpoint detection and response] to help prevent ransomware.

Howard: Kaspersky also released the results of a separate survey they did in April. This time they surveyed senior business executives about ransomware. Sixty per cent of the 900 respondents think that the media makes ransomware threats bigger than they actually are. What do you make of that?

Terry: Well, they are big. I don’t think they’re necessarily blowing it out of proportion. The part that I don’t like about being blown up proportion is that some think, ‘These sophisticated gangs targeted us.’ No, the user just clicked on a link he wasn’t supposed to, and they [the firm] had no internal processes in place to know there’s a hacker in there and no proper response plan to get him out. That’s typically what’s happening. There’s not enough visibility into IT environments, and the only time they realize that there’s a problem is when the hacker makes a mistake.

Howard: The survey also said that 64 per cent of respondents said that their firms had already been victims of ransomware So what are those chief executives and vice presidents who believe that the media overhypes ransomware thinking? ‘Well, we’ve been hit once it won’t happen to us again?’ or are they thinking, ‘We’ve been hit once and we’ve improved our defenses so we won’t be hit again?’

Terry: It’s funny you mentioned that because the newest ransomware notes start with, ‘Hello again.’ … We’re definitely losing the war. Even if you pump in millions of dollars of cyber security technologies there’s still a good chance you’re going get hit. There’s no silver bullet to stop a hacker, so the priority needs to be how fast can you recover properly.

Howard: What should IT teams be doing before, during and after a cyber attack?

Terry: The first thing is get a vulnerabilty assessment done first. They need to know what vulnerabilities they currently have in their IT environment, and get a proper asset inventory. If they do get hit with ransomware they need to know who is responsible for what — who’s in charge of speaking with lawyers, who’s going to make a call to law enforcement to at least advise them that an extortion is happening, whose calling the cyber insurance company, who’s going take care of bringing in incident responders?

Employees need to be trained on keeping their hands off their computers. We had a case where even though the files were all encrypted one user kept clicking on the ransom note to open his files. When we had to negotiate with the threat actors the company had to pay three times the amount because each time the user clicked it started another level of ransomware.

Howard: One I’d like to make clear is preparing to defend against a ransomware attack is the same as preparing for any other kind of malware attack: Know your assets. Make sure things are patched. You’ve got to look for vulnerabilities. Independently back up your data. Have an incident response plan.

Speaking of incident response plans, listeners may recall that last year Colonial Pipeline in the U.S. had to shut its oil pipeline after a ransomware attack on the IT side of the company. Not the pipeline operations side. That shutdown caused huge lineups at gas stations on the East Coast of the U.S. This week the U.S. pipeline regulator proposed fining colonial about $850,000 in part because it didn’t have properly documented procedures for restarting the pipeline manually, and that included what to do if the phone system was shut down so that pipeline operators could get instructions and confirmations. To me this proposed fine is about a company’s incomplete incident response and disaster recovery plan. How should an IT department develop an incident response plan?

Terry: There are a lot of moving parts. You’ve got to write down everything that can go wrong in the environment and how to respond. Then put it into a playbook. It’s all part of the whole disaster recovery strategy. You have to be able to detect something wrong, find a way to triage the information, contain the attack and look at post-incident activity. Proper documentation is key here.

When we develop playbooks for companies we have to think of everything including natural disasters. We had a case where a customer was very concerned a tornado could wipe out their data center and the two SANs (storage area networks) would be gone. How would they get their business back up and running? You need to factor in everything — including supply chain delays. For example, if you need a replacement server you got to factor in four to nine weeks or more of delays. One suggestion: Learn from others. Learn from other people’s horror stories.

You should have sections in your report called ‘Roles and responsibilities.’ It’s going to pretty much involve all of the heads of the departments. You’re going to have persons responsible for both internal communications with employees and external communications for the media. You’re gonna have HR management in there. You need to have physical security. And administrative support staff who will be responsible for taking notes as the incident response team meets.

Howard: You also need a patched backup PC for the IT team with all of the tools that it needs for recovery with a cellular connection to the internet that’s on a different network than the organization’s regular provider, and a cell phone to be used by the incident response team.

There are lots of free resources on the internet. If you do a search for ‘How to prepare an IT Incident response plan’ you’ll find a lot of resources. [You can start by reading one of my stories from SecTor]

Finally, I thought we should look at Ikea Canada’s admission that an employee improperly searched its customer database. This is known generically as an insider attack. Ninety-three thousand Ikea Canada customers are being notified that some of their information may have been exposed. Ikea Canada says no financial or credit card data was accessed. It also said it’s taken steps to make sure that data wasn’t saved or shared with anybody else, but there are lots of questions here. What was the employee doing, did they save the data, how was the employee caught? These were questions that I asked of Ikea Canada, and they told me only that this was noticed during an investigation. What caught your eye about this incident?

Terry: It reminded me very much of a financial institution here in Montreal where the employee had too much access. He was accessing things he wasn’t supposed to. He made copies of the data and wasn’t caught until later on. So obviously the application that they used for monitoring access to their customer data wasn’t doing auditing or monitoring. Or maybe this stuff was being logged but nobody was watching it until a problem occurred.

I suspect that they had to do a forensic analysis of the employee’s laptop to see what he was searching for, because sometimes Windows servers or applications lack log functionality. Or if the IT department enables logging there is just so much data to look at that they just turn it off.

Popular Articles