Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, April 29th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by Terry Cutler, head of Montreal’s Cyology Labs, with observations about several recent stories. But first a roundup of some of the newsworthy incidents from the past seven days:
U.S. cybersecurity reporter Brian Krebs outlined some of the workings of the Lapsus$ extortion gang, including their ability to convince carriers or companies to swap the SIM cards or phone numbers of smartphone owners to get around the use of multifactor authentication. Terry wants to sound off on that.
He’ll also have a few words to say about the Conti ransomware gang’s attacks on Costa Rica, which hit the administrative systems of a municipal electric utility and several government agencies.
More on ransomware: The Black Basta ransomware group claims it has hit the American Dental Association. The ADA represents dentists in the U.S. The association has acknowledged it is dealing with a cyberattack. The Bleeping Computer news site says Black Basta claims it has hit a dozen victims this month.
The cyber intelligence agencies of Canada, the U.S., the United Kingdom, Australia and New Zealand issued an advisory on the top 15 vulnerabilities routinely exploited by threat actors last year. These are vulnerabilities that have been patched. However, some IT departments aren’t plugging the holes and are paying the price. Terry and I will have a few words about this report.
Researchers at Rezilion released a report (registration required) estimating only 40 per cent of the almost 18,000 open-source packages that use log4j2 have been patched. This despite the fact that the patch was issued four months ago.
Internet companies running cloud compute services for customers were largely the source of a huge denial of service attack earlier this month. That’s according to Cloudflare, which says it blunted the attack. Often denial of service attacks come from compromised internet-connected devices like routers and surveillance cameras. But Cloudflare is seeing more attacks coming from compromised servers in data centres. Data centre managers and companies using servers in data centres should be warned.
Finally, two reports on the cyberwar between Russia and Ukraine came out. Microsoft says Russian aligned threat groups have launched more than 237 operations against organizations in Ukraine. These include 40 destructive acts aimed at taking out critical infrastructure. Tactics include exploiting unpatched vulnerabilities, compromising internet providers and sending malware-filled emails. Meanwhile Wired magazine had an article detailing how Ukrainian IT volunteers are fighting back, knocking Russian websites offline with denial of service attacks. There’s also a bug bounty program to report vulnerabilities in Russian systems for exploitation.
(The following conversation has been edited for clarity)
Howard: Let’s start with the latest report. The cyber intelligence agencies of the Five Eyes countries analyzed the top 15 vulnerabilities routinely exploited by threat actors last year. Of those 15, four of them had patches issued before 2021. Eight of them related to the on-premise version of Microsoft Exchange, so Exchange admins should have quickly installed these updates. Terry, what does this list say to you?
Terry: First of all, I found the report really interesting — and for those of you that haven’t read it, it’s got inputs from folks like the CISA (the U.S. Cybersecurity and Infrastructure Security Agency), the FBI, the New Zealand, Canadian and the U.K. cyber security groups. So there’s a lot of brainpower behind this document. Last year and the year before that were horrible years for the cybersecurity industry because we saw attacks on SolarWinds, things like log4j, ransomware, and the Microsoft Exchange vulnerabilities. But on the positive side we did learn a lot. And one of the things that we were able to uncover is that attackers were able to chain exploits together, which would allow the attackers to exploit and elevate their privileges even quicker. They’re even able to exfiltrate data and cause ransomware attacks. But we also saw things where IT guys were misinformed or uninformed and were telling management that they didn’t need to run antivirus solutions on their Exchange servers or EDR (endpoint detection and response, because it just slows [the IT system] down. They need to understand those days are gone. So we’re still saying the same things over and over and over again: Get your systems patched, fix your patch management issues.
Howard: It’s a very useful list for IT and cybersecurity administrators because they can see these are the most common vulnerabilities that hackers are going after. They can look at their systems and say, ‘Okay, we’ve got these patched …’
You know, one of the 15 is the log4j2 open source logging library and. That’s tough to find because it’s inside many applications, so IT teams and developers may not know if they have to patch for that. However, some experts say four months after this patch was issued. There are still hundreds of applications that haven’t been patched on log4j alone. Why aren’t IT departments getting the message?
Terry: This is a real tough one. Last year we observed that the average time to create a proof of concept exploit or to release a patch was about two weeks. And the one thing that was a bit distracting for us [as defenders] was that vulnerabilities in log4 j. In a lot of cases businesses noticed they weren’t using the log4 j feature. So hackers took advantage of the vulnerability. Unfortunately, what happened was that log4j wouldn’t necessarily store logs as strings, but it would instead interpret the logs themselves. So if an attacker was able to input malicious strings then the system would be able to interpret and execute that at the server level, which would lead to remote code execution. An attacker can run this attack and get the results four later so so they can even create a time-lapse [attack]. We also noticed they [attackers] didn’t have to create custom exploits to take advantage of this stuff. All they had to do was create malicious strings. So in the end all the attacker had to do was create an automated script that would identify vulnerable versions of log4j and scan those for externally facing input fields. And then what they could do is launch the string on these on these fields and then have the systems interpret that. That would give them remote code execution rate into the system. At that point they can start copying stuff out.
Howard: What I found very alarming on this list of 15 was that one of the vulnerabilities dates back to 2018, and that’s for Fornet security appliances, and another dated back to 2019 for a Pulse Secure appliance. It’s pretty obvious that some companies are not patching this stuff, which is the reason why attackers are still looking for and exploiting these as entryways into IT systems. Why are these still being exploited by attackers?
Terry: I think a lot of times that they have poor asset management. They don’t know what versions of software they’re running, what hardware they have. Assessments are probably not being done. So if they’re not doing penetration tests or vulnerability scans on a regular basis they’re not going to find vulnerabilities. We’ve seen cases where IT says, ‘We’re running automatic updates,’ but they don’t realize that it wasn’t working all the time. And of course if you’re deploying patches you never know what it’s going to break. Sometimes we’ve seen patching go wrong and wipe out a configuration. If you’re in a large environment this could be devastating for your business. But you have to understand that if your IT system is public-facing it will be attacked and it will be exploited So get your assessments done.
Howard: In addition to the top 15 list of exploited vulnerabilities, the report lists 18 more vulnerabilities in products that were commonly exploited last year. And these are from Microsoft, Cisco, VMware and Citrix, and the Accellion FTA file transfer utility that I’ve previously reported was exploited in several large organizations including the city of Toronto. But also on the list are vulnerabilities that go back to 2017, and again they’re being exploited because companies aren’t patching them. It’s really embarrassing.
Terry: To be honest, I wouldn’t be surprised if this list shows up again next year. To be fair, there is so much stuff flying at us — and at a time where IT cyber guys are in demand. There’s a lot of turnover happening right now. We’re being shopped around to the highest bidder. Meanwhile there’s no proper asset management. That gets left behind. And what I find interesting is that for the last 15 years we’ve been saying almost the same thing: The technology right now is somewhere between barely working or not working at all, we got problems with patch management. Mr. Customer, are you monitoring your network? Are your policies and procedures in order? You need to create strong passwords use multifactor authentication. Most businesses don’t even have the [cyber] basics in place. And even though you might have all the basics and more in place that’s still not enough to stop a cyber attack.
Howard: Well, one thing I will say about this report is that it’s a good use of taxpayer dollars. It’s something that should be read by IT directors around the world. And it’s only one page. It can be found on the web pages of each of these cyber security intelligence agencies in each country.
Let’s move on to the ransomware attacks on Costa Rica. For those who don’t know this is a country of about 5 million people in Central America. Last week the Conti ransomware gang said it hit several government agencies, including the finance ministry and the administration side of an electricity provider. Disruption in tax and customs services is allegedly costing businesses millions. The outgoing president said the attack was meant to threaten the stability of the country. Terry this seems to be a well-placed attack. And a well-placed cyberattack can come close to crippling a small country.
Terry: It’s really important that you’re monitoring your endpoints, your network and your cloud [for attacks]. We’ve been saying this for years: Hackers are in your system for six to 18 months prior to being detected.
The Costa Rica government had over a terabyte of data taken from them, including taxpayer information. Then Conti ransomed them. And because the ransom was for $10 million the government refused to pay. At that point the Conti gang leaked about 850 gigs of data. But during this time had they [the government] had monitoring in place they would have noticed things like beaconings [by the attackers back to their servers]. That’s why these attackers can come back into the network whenever they want and explore the network, map it out, build their plan … Obviously there was no network segmentation in there.
Howard: I want to bring this down from a nation-state level — that is you could cripple a entire small country — to a local level because I think the lesson here is to towns, cities and counties as well as states and provinces that a cyber attack can really be crippling. And of course that’s what attackers want they want widespread damage and chaos so that governments will feel squeezed into paying a ransom. You’ve got to have an incident response plan as part of your business continuity plan. You’ve got to be disciplined in the field of cyber security.
Terry: It’s interesting. We had an uptick of municipalities contact my company. What’s unfortunate, though, is that municipalities only go for the lowest bid [on IT products and services] so they can show value. As soon as they find a bid that’s a quarter of the price of another — which doesn’t even deliver half the value — they’re, ‘We want this.’ They go for the lowest bid, unfortunately. They have no idea what they want. They need to really get their needs assessments done properly and have a team that can overlook the implementation of technologies like 2FA, segmentation of the network, endpoint detection and response technology.
Howard: The Lapsus$ extortion gang. These are guys who’ve been going after big companies, stealing source code and threatening to release it unless they’re paid. Last week there was a big report by American cybersecurity reporter Brian Krebs who read some of the messaging threads that members sent to each other. That shed big light on how this crew works. We don’t know the whole story because two people have been charged in England and a bunch of teenagers seem somehow to have been involved. Perhaps the arrests have seriously damaged the gang’s operation. But the story by Brian Krebs shows one of its tactics, which is buying usernames and passwords on criminal markets for initial IT access and then if necessary tricking the employees of victim firms or their cell phone companies into reassigning an employee cell phone number to a device that the gang members controlled to get around multifactor authentication.
Terry: It’s scary to know that a group of teenagers running from ages 16 to 21 are hacking into big firms … We’ve really got to get our cybersecurity together. Getting access to leaked credentials right now is the easiest and safest way for cybercriminals to get into your network undetected, because a lot of folks are still using the same password everywhere. For example, let’s say an employee or a VP registered an account on a real estate company. Instead of using his personal Gmail account he used the corporate email and the same password. If that real estate company gets breached his password leaks onto the dark web. And if there’s 2FA the attacker is going to get in. What’s worse is that even though you’ve got security in place, like endpoint detection and response, this [a stolen user name and password] is considered a valid login. So the [protection] technology is not necessarily going to kick in unless you have cloud technology that would look for things like an employee’s impossible travel — one day they’re logging in from Toronto next day they’re logging in from Nigeria. What attackers are doing now is hacking into legitimate companies and using them as a jump point to attack another company. Or they request information on an individual and possibly transfer their phone out. I had a guest on my show once who used two-factor authentication everywhere, but she forgot it on one of her Hotmail accounts. Attackers got into her Hotmail account, saw all of her security questions, logged into her Telus account transferred her phone over to Bell and got access to all of her two-step verification. Then they were able to drain her bank accounts and purchase things on Amazon and on eBay. There’s a feature you can enable to prevent this: Activate port protection. It will prevent your phone number from being transferred to another carrier unless you show up in person at the store with ID.
Howard: There’s a great idea. This is something that I talk about: Companies have to implement multifactor authentication properly. It’s not merely having multifactor authentication. You’ve got to train support staff not to be fooled when a caller purporting to be a customer or employee wants to change their SIM card on their phone or add another phone number where 2FA goes.
Terry: And that’s the challenge, because as humans we all want to be helpful and we want to try and help customers as fast as possible with the least amount of friction. That’s one of the challenges we have in cybersecurity right now — we have such a shortage of resources. There’s not enough of us to implement these strategies or technologies. We’ve got to find a way to work as a team.
Howard: Finally, there’s the cyberattack that affected the Canadian vacation airline called Sunwing. This was a third-party attack — the company that supplied the airlines’ passenger check-in service was hacked, which led to Sunwing being unable to process passengers quickly by computer. They had to do everything by hand. What did you see in this?
Terry: Consumers can get really angry, and they don’t blame the hackers. They blame the company. So because Sunwing was brand to the consumer they really took it out on them. And you know even though the company tried to say they may reimburse passengers, it was just the delays and all these things it was a nightmare.
Howard: So is this a matter of being prepared for the worst? That’s what every company is supposed to do in their incident response plan and disaster recovery plan. Is this an example of a company that wasn’t prepared for the worst possibility?
Terry: We don’t know all the ins and out of what happened, but in our experience because this company was down for at least a week there’s a good chance it was a ransomware attack [against the suppler]. And in our experience whenever ransomware occurs and a database is involved even if they bought the decryption keys to recover the data the database is usually always corrupted. Maybe there wasn’t a proper backup of the database. But it’s important that companies understand what access third parties have into their IT network. Does the business run vulnerability and penetration tests every year? It shouldn’t be just once a year, it should be every quarter at least because attacks are happening so frequently.
Howard: So how can companies deal with their partners and suppliers — not merely companies that they’re associated with but company partners and suppliers that actually have access to their IT systems?
Terry: They really have to understand what third parties have access to. Because we’ve seen cases where if a company has access to your network such as an MSP [a managed service provdier] and it gets breached, because they had access to your environment they’re able to deploy ransomware. You need to really understand what these third parties have access to in your network and are they doing whatever possible to secure their own infrastructure. Maybe they have to show a certificate of proof that they’ve had a penetration test done or some type of IT audit or that IT complies with some cybersecurity frameworks. These are all things that need to to need to be looked at, and not just blindly trusting the partner.