Welcome to Cyber Security Today. This is the Week In Review edition for the week ending Friday, February 19th, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. In a few minutes I’ll be talking with Dinah Davis, vice-president of research and development at Arctic Wolf. But first a quick look at some of the top headlines in the past seven days:
 |
 |
 |
The healthcare sector will continue being targeted by threat actors, particularly with ransomware, because of the vulnerably of the industry due to the COVID pandemic. That was one of the main conclusions of a report by IT security volunteers called the CTI League. It focuses on helping to better protect hospitals, clinics and medical research institutions from cyber attacks. In its first annual report the group notes that nearly two-thirds of healthcare cybercrime victims were in North America and Europe. Among the more serious findings is that threat groups often used unpatched software vulnerabilities and weak, reused, or default passwords in remote connectivity systems to get into victim organizations. One reason may be that many IT departments deployed remote connectivity hastily when management told people who could to work from home.
Ten men in Europe are accused of being part of a gang that was able to take over the smartphones of well-known people in the United States and the U.K. They did it by SIM-swapping, which is convincing wireless carriers to swap the SIM cards in victims’ phones to handsets they control. Usually crooks do this by using counterfeit ID in person or online. After getting access to the celebrities’ accounts they changed passwords to apps and bank accounts, then stole or bought over $100 million in cryptocurrency. The best way you can avoid your SIM card being taken over is by having a PIN number on your cellphone carrier account. If a crook doesn’t know the PIN number the carrier shouldn’t change your phone.
Meanwhile, the U.S. Justice Department has identified three people from North Korea’s military intelligence who were allegedly responsible for stealing and extorting more than $1 billion in money and cryptocurrency. They also allegedly created the WannaCry 2.0 ransomware. Among the targets were Sony Pictures, banks and ATM machines. Separately, the U.S. said a Canadian will plead guilty to money laundering some of the money obtained by the North Koreans.
Using free or test versions of software saves money, but it could leave your firm open to being hacked. That’s the lesson from news that the free open source version of the Centreon IT monitoring platform has been hacked for years. Customers of the paid version of Centreon were safe because they were getting software security updates. The open-source version hadn’t been updated for five years. Think before using free software for an extended period, especially if it hasn’t been updated for a while.
Finally, COVID-19 vaccine sale scams continue to be pumped out by crooks. According to a report this week from security vendor Tessian, they are aided by the ability to create domains that impersonate legitimate healthcare websites, tout misinformation around injection side effects and falsely claim to offer guidance around timing and logistics of distribution to fool people. Tessian says 2,697 new website domains related to the COVID vaccine were created in a five-week period alone between early December and January. Some were malicious. Their goal is to fool people into filling out forms to steal personal information or to sell fake vials of vaccine and steal credit card information. Twenty-two per cent of fake COVID websites take advantage of “typo-squatting,” which is spelling a legitimate site’s name slightly differently in an effort to fool people.
For my discussion of two of these stories with Dinah Davis of Arctic Wolf I started with the Tessian report.
The following is an edited transcript. To hear the full conversation click on the Play arrow at the top of this story:
Howard: This report is troubling for a number of reasons. First, some people may hurt themselves and others by buying fake vials of vaccine from phony websites. And second, they may get misinformation from these sites. And yet setting up fake web fake websites is an old tactic for crooks. In fact, it’s essential for most scans, regardless of whether they deal with COVID. They’ll send an email to a victim that has to have a link to a website so that the victim goes where the crook wants them to go. And it’s so easy to create a phony web address. All you have to do is misspell the word “vaccine,” for example, with one “c” or register a hospital’s name as .org instead of .com or replace the letter L with the number 1. Why is it so easy for crooks to register fake website domains?
Dinah: You can register any domain, very cheaply at a number of different domain providers. Anybody can create any website if it’s not already taken. The key is here [for consumers] is to help yourself stay safe. You really need to check a few things. You really need to check for spelling mistakes and then domain names. If you’re in Canada you should never click on a link to go to a vaccine registration site. You should go directly to your provincial healthcare website or the federal site. I specifically checked every single province site and they all have COVID-related information right on their front page. So there’s no reason you should ever have to go anywhere but those official pages. You can also go to [the web site of] your local health care unit.
If you want to check if any site legit I have a favorite website that I use for this all the time it’s called “islegitsite.com.” It checks about five key things for any website. You put the name of a website and see what it is evaluated as.
A good report summary is “potentially legitimate.” It’ll never tell you more than “potentially” because there could always be a slim chance of it not being legit. It will check is the Web of Trust rating, a crowdsourced collection of website ratings and reviews from over 6 million people. It can tell you if a website has been blacklisted. It’ll also check the domain creation date. Domains that are long-lived have a much higher likelihood of being legit ones that have just been created in the last few months.
It will also tell if the site uses HTTPS, and its popularity.
Howard: In terms of organizations protecting themselves from typosquatting, which is the technical term for, deliberate misspellings of website names by crooks, don’t organizations have to spend some money to trademark their names and, and buy related URLs that could easily misspell the corporate names?
Dinah: They do, but it’s easy to not have not having bought all of them. There’s so many combinations, there’s infinite combinations, probably of different ways to misspell — use a different letter instead of a number. So if there’s always going to be that chance that you didn’t buy all the ones you needed to buy, or sometimes they’re already purchased and you can’t get them.
Healthcare attacks
Howard: The other thing I want to talk about that’s also healthcare-related is the report from the CTI League. They’re are a group of volunteer cybersecurity experts trying to help the healthcare sector be better prepared to fend off cyber attacks. What I found interesting was a finding that attackers were often able to get into networks of healthcare institutions through unpatched software vulnerabilities and weak or reused or default passwords in remote connectivity systems. Isn’t it common that ransomware and other attacks start through phishing or social engineering attacks?
Dinah:I think that’s actually a common misconception. In our research and what we’ve seen in our clients is that RDP (remote desktop protcol) compromise is the top vector for ransomware attacks. The other vectors are still there, and are well used. But with the pandemic so many more people started working from home. Their computers were typically behind company firewalls before. So if their ports were open for RDP connections, it was fine because it was behind the company firewall. Now that they are working from home a lot of them are no longer behind the company firewall and attackers have been trying to take advantage of that.
There’s a couple of things organizations can do, especially to prevent RDP attacks: Use strong passwords. One of the biggest ways we see RDP attacks is with brute force attacks. So the hackers will get maybe a password dictionary and they’ll try and just run through the password dictionary, or they’ll try credential stuffing. They’ve gotten usernames and passwords from other places. And they’re going to try those on your RDP connections. So using strong passwords using two-factor authentication is important. You should always make sure that RDP is only available through a corporate VPN. So close those ports. If you don’t have them behind a firewall definitely use network-level authentication for access to them. If possible close any access to port 3389 at the firewall. And if you don’t use RDP you don’t even need to do any of those things. You just close the ports because you can change which port you do RDP from. And usually, hackers are gonna go with 3389 because that’s the classic one. If people have left that open, it’s going to be the easiest hit for them.
Howard: Why aren’t IT departments securing logins with authentication, especially after this has been talked about constantly by cyber experts easily for the past two years?
Dinah: It’s always that trade-off between security and usability and convincing everyone in the organization that you need to make that trade-off on two-factor authentication. They may not have an application already in house that’s going to make this easy to do, they may have to go and buy something. And so it takes time to roll these things out. That would be my guess. It should be high priority, but, you know, sometimes it just doesn’t make it up there on that list.