Welcome to Cyber Security Today. From Toronto, this is the Week in Review edition for the week ending Friday February 11th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by guest commentator David Shipley, chief executive of Beauceron Security in Fredericton, New Brunswick. But first a quick look at some of what happened in the past seven days:
Just over half of surveyed Canadian organizations hit by ransomware or malware paid the amounts demanded by cybercriminals. That’s one of the findings of a poll released this week of 491 medium and large companies. It’s one of the stories David and I will look at.
Speaking of ransomware, news emerged that a Quebec man been sentenced to six years and eight months in prison by a Canadian judge for his role as an affiliate of the Netwalker ransomware gang and his attacks on 17 Canadian organizations.
The FBI arrested a husband and wife in New York and charged them with allegedly laundering millions of dollars in bitcoin stolen several years ago from a Canadian cryptocurrency exchange.
Microsoft said it will block running of Visual Basic macros included in email by default in five Office applications, starting in April. David will explain why it’s about time.
Coincidence or not? Amid the crisis in Ukraine, there’s more action against cybercrooks in Russia. Russian media reported this week that six people were arrested, allegedly being part of a hacking group. Also this week three criminal marketplaces that sold stolen credit cards suddenly displayed seizure notices claiming to be from the Russian government. The Bleeping Computer news service couldn’t confirm the notices are legitimate. The arrests were the third hacking group arrested by Russian authorities since the beginning of the year.
The recent Log4J vulnerability has some complaining that open source software code isn’t scrutinized closely enough before being released. But in testimony before the U.S. Senate this week the president of the Apache Software Foundation said that none of the automated code checking tools on the market today would have caught the vulnerability. David Nalley said that bug was resilient to automated tools and seven years of contributors auditing the code, because the problem came from the complex interaction of multiple systems combined with Java code dating back to the 1990s.
(The following transcript has been edited for clarity. To hear the full talk, play the podcast)
Howard: I want to now bring in David Shipley from Fredericton New Brunswick. Tell us about yourself.
David: I guess I’m an accidental cybersecurity professional. I’ve been a Canadian Army soldier, a newspaper reporter, a digital marketer for a Canadian university. On Mother’s Day, 2012 the university got hacked and I was the one that raised the alarm – and I went down the Alice in Wonderland rabbit hole of cybersecurity. The CIO asked me to be the director of strategic initiatives, which I did for five years.
A fun fact about that particular hack: It led by a U.S. navy sailor hacking us from a carrier.
Howard: And now you’re CEO of Beauceron Security. Tell me a bit about it.
David: We’re a 40 person Canadian startup. We’ve been around since 2017 we serve some of the biggest banks, telcos and governments as well as every other sector across North America. We have our first few customers in Europe, and now in Africa. We work to empower people to be in control of the technology they use every day. We’re using a SaaS platform with gamification and new kinds of education to help turn the cybersecurity story around.
Howard: Is there a difference in the cyber threat landscape in Atlantic Canada compared to other parts of the country?
David: I think it’s closer than not, but in Atlantic Canada we typically see a slower pace of digital transformation. That in some cases has probably been a net benefit for us in terms of some of the major [cyber] attacks we’ve seen that are leveraging companies that are more digitally connected. That being said, I’ve seen tragedies here with ransomware taking down mom-and-pop construction supply companies. We’ve certainly seen major attacks here, like taking down the healthcare system in Newfoundland. In some ways we’ve missed the worst of it, but we’re now walking into the same threat environment as the rest of Canada.
Howard: I want to turn to a survey of 491 medium to large Canadian firms that was released this week was done for a Quebec IT services firm called NovaPro. The wording of the survey questions is always crucial to the responses in any survey. One of the questions in this one asked, ‘If your company was the victim of a cyberattack, did you pay the ransom asked by the hackers?’ Fifty-six per cent said yes. They were also asked if they used a negotiator. Did you find these questions informative?
David: I think the interesting part of that question is ‘Did you pay what they asked?’ versus, ‘Did you pay?’ which is two entirely different things. The cybercriminals who are committing ransomware nowadays often take their time to find out what insurance you have, they’ll read your financial statements if available, so they’ll have an opening ask — but they know what they want to get on an average from a company of your size. So think it’s important to explore that negotiation. I wasn’t that surprised that with that number [56 per cent paid] because we’ve seen other surveys from groups like the Canadian Internet Registry Authority (CIRA) actually published back in the fall ahead of the IT World Canada MapleSec conference numbers that actually showed two-thirds of survey respondents in Canada were willing to pay a ransom. In the United States we’ve seen surveys as high as 83 per cent were paying. And we know criminals have been making money hand over fist from ransomware. So. So we’ve been paying um that that part of the story doesn’t surprise me.
Howard: I thought one way of interpreting the question is they couldn’t negotiate and therefore they had to pay exactly what the threat actor was asking, but another way is that they didn’t negotiate [and just paid], or the did negotiate and then paid what was agreed on. So it was sort of an odd way of phrasing the question, I thought.
David: Absolutely. And that goes back to the fact that these attackers do their homework and so they may know exactly how to jam you up in terms what they want. We underestimate the business savvy of these organized crime gangs.
… At the end of the day far too many organizations are paying these ransoms. What we’ve seen is the attacks escalate, they [attackers] re-invest, the demands get larger. What more of a wake-up call do we need?. We had a critical source of meat protein jeopardized in 2021 in the JBS Meat ransomware attack. We had the Colonial Pipeline attack. The energy side. We’re watching a massive attack on Vodaphone in Portugal right now. They’re hitting the critical infrastructure now. So this strategy of looking after ourselves and paying the ransom because that’s the most effective and most reasonable business course of action is what we would normally refer to as the tyranny of the common — that what’s good for you maybe solves your particular problem but you’re making the situation worse for everybody. And this is why it’s so important that we see legislation and new policy directives that make it unpalatable to pay the ransoms.
Howard: I would argue that most of the time companies are paying the ransom because their backup and recovery operations for data aren’t strong enough and they’ve been caught. And so they feel that they have to pay the ransom because their data is gone.
David: That is absolutely the case. We saw attacks against municipalities in Canada and they [attackers] they knew their backup infrastructure. Again, this speaks to sitting around in those networks doing your homework knowing how it works and making sure you put them [victims] in a headlock. And now you’ve got the rise of double extortion. We saw this in the most horrific sense with the attack on Newfoundland [healthcare system] and the theft of detailed patient records. There are sometimes intimately sensitive topics that you don’t want to have out there, whether you had an abortion, whether you have a sexually transmitted infection. Organizations face huge class-action lawsuits when they lose this information, so I don’t underestimate the compelling logic of payment. I’m saying that that compelling logic fuels criminals who then continue to exercise this. So we’ve got to break the cycle.
Howard: Another question in the survey that caught my eye was about the perception of IT by the respondents. Forty-six per cent said they see IT as an investment, 27% see it as a strategic partner. That’s pretty good. But 14 per cent said they see IT as an expenditure and 12 per cent see it as a necessary evil. That means that 26 per cent of respondents see IT negatively — which by the way is only slightly down from the previous years of this survey. Why is it that IT continues, among some leaders of organizations, to be … what can I say … to be seen negatively.
David: I think there still is a complete underappreciation for the amplification effect that technology has provided over the last 30 years in terms of what our businesses can achieve now. Let’s step back. Let’s think about healthcare. We know that when there are ransomware attacks against healthcare operations they lose three quarters to 90 per cent of their capacity to deliver their vital services. It tells you the absolute criticality of IT — and that’s one extreme example. I’ve seen small businesses — that mom-and-pop construction shop. — where all of a sudden they’re back to pen and paper and they could process a fraction of the orders [after a cyber attack]. We take technology for granted every single day and I would probably suspect that that 26 per cent is probably higher. We have not done a good job in helping business leaders understand technology as a competitive advantage and as a strategic asset. Not many CEPs or senior leaders love paying for insurance, either. They don’t really like paying for the audits — or for anything because that means they’re not making as much money. But we do need to do a better job of talking about how technology makes you more money, because that’s the language of business.
Howard: Let’s go back to ransomware. We learned this week that a Quebec man who was an affiliate of the Netwalker ransomware gang was sentenced to six years and eight months for his role in attacks on 17 Canadian organizations. In the past 12 months police around the world have made a number of big arrests or shut down of the infrastructure used by some ransomware gangs. There’s also been some closings of online criminal markets. Is there progress being made against cybercrooks or is this just a drop in the bucket?
David: There is absolutely progress being made. But I think there are also telling signs about the next evolution of cybercrime in the stories that we’re seeing. Canadians often think a ransomware gang is somebody sitting in Russia, China, India, now Iran, Brazil. We don’t think that there are Canadians involved in this — but the person here who’s now been convicted, he was one of Netwalker’s most prolific affiliates. He made $30 million-plus. Now keep in mind this was moonlighting. His full-time job was working for the federal government as an IT worker. When you read the affidavits and the background charging documents it’s a true crime fascinating story. But what’s at the crux of how this gentleman got caught is poor, operational security. We’re seeing these affiliates who had really poor operational security who made it trivial for police to unravel the threads and find and catch them. The next generation of criminals are going to get smarter. They’re going to realize that the Americans are going to keep putting $1 million bounties on their heads so they’re going to get better at hiding their tracks. They’re going to get more ruthless in their attacks. They’re going to realize that they have to do a few big scores and get out of the game. The race continues until we have a properly functioning international order, which not going to happen in my lifetime. Ah, you’re going to have nation-states in and organized criminal groups conducting these attacks. [Recent arrests] are by no means the end of cybercrime. It’s the end of the beginning chapters of transnational organized cybercrime.
Howard: Interestingly, a person who claims to be the developer of the defunct Maize, Egregor and Sekhmet ransomware strains this week released their master decryption keys on the Bleeping Computer forums. The poster said this was not related to police action. The cyber company Emsisoft quickly released a free decrypter based on those keys so that victims who haven’t been able to recover their data can do so now. What do you think of this move?
David: I doubt it was altruism. I also don’t think necessarily it was like, ‘There’s a lot of heat, I’m I’m going to throw the keys out to try and get out of this.’ because why would you do that? You probably want to hold on that as you get nicked and you try and plea bargain and say, ‘Hey, I can unlock this stuff.’ I suspect two things: One, they hit somebody [a large organization] that they knew is going to generate a lot of heat — like what happened in Ireland with the ransomware attack on the national health care system where a week into it the attackers said, ‘We didn’t mean to take down a health care system, here’s the decryption keys (which hilariously didn’t work very well.) Security companies had to build new tools to actually help the health care system get out of that jam. Or two — and this is my most likely theory and I have zero evidence — but watching criminal groups and some of the shenanigans that happen within those groups there might be a fight within the criminal gang and someone decided to burn their friends [by releasing the keys] and make sure they couldn’t make any more money off of their hard work because they got stiffed on the latest raid. We’ve seen some really interesting intra-criminal fighting over the last six months …
Howard: One of the ways that companies get stung by malware is when employees click on links and the links execute visual basic macros that allow the infiltration of malware to the company. This week Microsoft said it’s going to change five office applications to make it harder for people to quickly click on attachments that run malicious VBA macros. What’s being done, And why is this important?
David: For 15 years the security industry has begged for this feature to be disabled by default for files coming from the internet or email. It’s the perfect example of the tension that exists between ‘This could negatively impact my business or business process and I could lose money because we’re not able to as effectively be as efficient or productive.’ versus the security crowd crying begging for this really easy low-hanging fruit to get dealt with. And it’s an example of the power Microsoft has now, particularly with the era of Microsoft 365 to change default behavior and massively reduce risk
… This was a huge move. Is it the end of attachment-based phishing? No. There’s some in the information security community who are deriding the move saying this is not going to be the silver bullet, it doesn’t change the entire scenario, so it’s worthless. That’s garbage. The move is going to be extraordinarily helpful. It just made the lives of cybercriminals harder.
Howard: And finally, organizations are still plowing through their applications looking for Log4j vulnerabilities. There was a big discovery in December about vulnerabilities in version 2 of Log4j. And because open source software is used in critical infrastructure sectors like finance, government, and transportation critics are wondering if open source code is scrutinized enough before being released. But as I said at the top of the show, the president of the Apache Software Foundation testified that none of the automated code checking tools on the market today would have caught this particular vulnerability. It was apparently missed by a lot of people. So what are your thoughts about Log4j?
David: First, on the free and open source software side there are billions of dollars of digital commerce done every day that is eaning on one or 10-people teams working for free to build this stuff for us, who contribute nothing back to those groups. And then to turn around and say you’re putting out a shoddy product, that is pretty rich. You know what? Build your own damn software … I got a real bone to pick with people pointing the finger at the people doing this work free. The reality is we need software bills of good included in products and services and SaaS companies. People need to know clearly, just like we have nutrition labels on our cereal, what ingredients are included [in applications] and they need to understand the processes that companies offering software or SaaS are doing to stay on top of these issues. That’s that’s how we start digging our way out of this.
As far as the second part of your question, regarding the cleverness of of exploiting Log4J, I see automated [code] scanners fail all the time. As part of our company’s approach we use automated vulnerability scanners. We use everything you can imagine to check the code as developers are doing it. We use tools to check the code after it’s been put into a release. But these tools are idiots. They are computer programs. They only know for the things that they’ve been taught. They are not creative. A true hacker is someone that actually can think creatively: ‘What if I did this and what would the system do?’ and you spend hours just beating away at code just trying to see what happens. And then something magical happens and you find it …
Other human beings are going to understand the flawed thinking that sometimes we use or the little cheats or heuristics or shortcuts or laziness, and they’re going to do amazing things. So you have to invest in human review of your code and think creatively as much as use the automated tools. Sorry, I get really fired up about this.