Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday August 27th, I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
With me this week to talk about a couple of items is Terry Cutler, head of Montreal’s Cyology Labs. But first a look back at some of the stories from the past seven days:
Websites run by some of the world’s biggest organizations including some U.S. state governments, Ford and Microsoft left personal information of people open on the internet. Why? Because staff used Microsoft’s Power Apps tools to develop applications. Power Apps is a platform for quickly creating apps. It’s aimed at people who don’t know a lot about writing code but need to put up an app quickly. But researchers found a quirk in the platform’s web portal configuration meant that some developers didn’t realize they were leaving sensitive data out in the open.
This is one of the stories Terry and I will talk about.
Another is how a New Hampshire town lost $2.3 million in a business email compromise scam. Crooks fooled city employees into sending expected payments to bank accounts the criminals controlled.
Microsoft this week urged administrators of on-premise versions of Exchange Sever to patch the applications as soon as possible. This came after the U.S. Cybersecurity and Infrastructure Security Agency issued an urgent alert to admins to get cracking on the updates. This is to close a series of vulnerabilities called ProxyShell. Two of the security patches have been available since April, the other in May. Hacker are actively looking for unpatched Exchange Servers. You have been warned.
Here’s a summary of security updates issued this week by vendors: If you use products from F5 Networks the company has issued critical patches for its BIG-IP line. VMware has released security updates to address vulnerabilities in multiple products including Cloud Foundation. Patches are available from the OpenSSL Software Foundation. And Cisco Systems has released security updates for products that use its Cisco FXOS and NX-OS operating systems.
How can governments fight ransomware? That was a question asked this week at a cybersecurity panel run by the Institute for Security and Technology. And the answer was — forbid organizations and individuals from paying ransomware gangs. But, the panelists added, it can’t issue a ban without first being ready to deal with the possible ramifications. That would include the disruption of essential services by a determined attacker.
Finally, Bitdefender has found a new backdoor used by a threat actor that researchers call FIN8. This gang often tries to compromise financial institutions and point-of-sale devices. This backdoor is still under development, but it uses a PowerShell script for loading onto victims’ servers. Companies are warned to segregate their point of sale network from other parts of the IT network, as well as do normal cyber hygiene like educating employees about spotting phishing emails that would start a compromise leading to the installation of a backdoor.
(The following is an edited transcript of my talk with Terry Cutler. To hear the full discussion play the podcast)
Howard: I want to first talk about the Microsoft Power Apps story because of its ramifications. UpGuard, the Australian cybersecurity company, found the configuration vulnerability in the way Power Apps web portals allow access to data. It says at 47 organizations accidentally left 38 million records of information open on the internet — a record being like one piece of information, like a name, a date of birth, social security number. So first of all, what is Power Apps and the Power Apps portal?
Terry: In a nutshell, Power Apps is a low code platform which will help improve and automate processes that businesses use every day. It has things like drag and drop templates and all that fun stuff. And what’s happened here is that the Power Apps portal was configured to allow public access. One of the options inside the platform is what’s called OData, which is the open data protocol for the API, which allows the apps to retrieve information from the portal. One of those things is a table. The table can have a list of usernames passwords or medical information, depending on what table you have access to. But one of the problems was that OData feed allowed anonymous access to the list and the data.
This is known as a misconfiguration attack. Even though the [Power Apps] manual says if you configure this you expose the data. But if you’re not familiar with how to set up these types of web services, you’re not going to know. And a lot of times when you’re an administrator and you don’t know what you’re doing you just enable everything because you want convenience. You don’t want users to call in saying, ‘Hey, this stuff doesn’t work. We’re moving to somewhere else.’ So basically the tables were misconfigured.
I believe UpGuard made several requests to Microsoft saying there’s a vulnerability here. And Microsoft came back saying, no this is working as designed … Microsoft [later] came back and changed the way the tables work.
Howard: So what went wrong in Microsoft’s approach to Power Apps and the Power Apps portal?
Terry: I think they made it too convenient for it to be set up. Because the tables had anonymous access [as default] when it’s being configured that [potentially] allowed scammers to pull data down without permission. Microsoft has now turned on table permissions by default. So now not anybody can just drive by and download the data, which is a great step. Microsoft developed a tool recently to go and check to see if your [Power Apps] systems are misconfigured. So that was a good step.
Howard: So if a developer wants a user to have general access to data on a portal, the developer has to go out of their way to turn that on.
Terry: Correct. And that’s the best approach because if it’s set up for too much convenience you’re not going to know if something’s misconfigured.
Howard: So what’s the lesson for software developers who want to create tools to help people create applications.
Terry: Get familiar with the latest attack tactics, like the top 20 [OWASP] guide that tells you where the most vulnerable misconfiguration flaws occur and how data breaches are easily done. When you follow those best practices you’ll learn how to test the security [of an applciation] and make sure it’s safe. That’s the only way that we’re going to move forward. We’ve got to educate the developers on how to code with better practices in mind.
Howard: And what about the lesson for those who are creating applications and websites? What are the lessons to them about security and data access?
Terry: Again, security’s not about convenience. You’ve got to get your sites tested, because remember, as a developer, you might only know what you know. When you hire a cybersecurity expert, they’re going to complement your skillset. They’re going to see stuff that you missed or didn’t think about.
Howard: I want to turn that to the business, email compromise story. And this involves the town of Peterborough, New Hampshire, which acknowledged that it was recently victimized by scammers to the tune of $2.3 million. In one incident, the regular monthly $1.2 million direct payment that the town was supposed to transfer to the local school board went to crooks. It happened because the town’s finance department was fooled by emails pretending to be from the school board. There are no details, but probably the scammers told the town that the board’s bank account was being moved to another financial institution and the payment should go there.
And in the other incident, two bank transfers that were meant to go to a contractor working on a bridge in the town didn’t go to the company. Again, probably the scammer sent emails, pretending to be from the contractor saying that he changed banks. It isn’t clear if the town’s insurance will cover the loss. This type of scam is called a business email compromise. It works because government departments and companies understandably often announce who they’re doing business with. For example, a municipality will proudly announce the winners of a bid to build or restore a bridge. Terry, what’s your experience been with victims of this type of scam?
Terry: I think it really boils down to user awareness training. If users aren’t aware of these types of phishing attacks or social engineering attacks, they’re going to be really easy targets. I’ll share an actual story that happened on a case we did about two years ago, where somebody was fooled into clicking on the link and had their access compromised. Once a scammer gets into the inbox he’s able to read all the contents. In this case they found a bank change form. So what they did was they sent an email to [the victim’s] provider in the U.S., which was expecting funding of half a million dollars, saying, ‘We’ve been having problems with our Canadian bank account. Can you please wire the money to Hong Kong.’
It’s not just one email. What they do is they create other fake [email] accounts and they add them as CC, so it looks like a conversation.
Howard: I recall a story about a church in the U.S. losing 1.75 million two years ago. It a similar kind of scam involving a construction company. I forget whether they were building a new church or an extension. The attackers convinced the church that the construction company had changed bank accounts. In that case they hacked into the church’s email system to send messages to convince other church employees who had responsibility over funds to transfer the money. So in these types of scams, the attackers either create fake email accounts that look like a real company involved in the transfer of the funds, or they hack into legitimate email accounts and use it to send their messages. How can organizations best protect themselves?
Terry: Make sure employees get [security]awareness training. It’s coming down to a point where insurance companies are saying to businesses saying if you’re not even training your employees, we’re not going to insure you. So awareness training is key. Watch the dark web so you can get advised if your passwords are leaking, Look at multi-factor authentication [on email accounts]. There’s a flag that you could turn on in your [email service] that warns if there’s an email that comes from an external source. If that had been turned on the company that was asked to change the bank information it would have shown the message came externally and not internally, as you’d expect from a colleague.
Howard: One other thing that I’d like to point out is that organizations need to have really tough business process rules for handling money, particularly rules that say if you get an email message and someone asks for a change in an established procedure for handling money, like changing a bank account, then you’ve got to seriously question whether that change is true and you’ve got to investigate it,
The last thing I want to talk about in this episode is the panel discussion that I listened to on ways of attacking ransomware. This panel thought that one of the best ways is for governments to forbid ransomware payments, forbid insurance companies from paying ransomware and forbid companies from deducting ransomware payments as a business expense. But the panel members also admitted that you can’t ban those things without first being prepared for the consequences. For example, what happens with a hospital’s medical equipment is impaired by a ransomware attack and has to cancel surgeries. What alternative does it have other than to pay to get the encryption keys and restore data? Governments have to be prepared for that kind of scenario before they forbid paying ransoms. Terry, what are your thoughts?
Terry: That is a loaded question and statement. If you’re a victim of a ransomware attack you’re gonna be faced with two choices: Pay the ransom to get your business back up as quickly as possible, or if you don’t pay it and all your backups are encrypted you can possibly lose your business overnight. And if you’re a hospital there are lives at risk. So a lot of times it’s faster to pay the ransom than to rebuild the environment. But organizations also don’t realize that if you hit with a ransomware attack there could be underlying malware in the environment that’ll hit you again in the future with another ransomware attack. So you still have to re-install the environment anyway.
Howard: One of the things that the panelists discussed was perhaps having an interim ban, so you might ban say retailers from paying ransomware. Organizations involved in critical infrastructure — a hospital, a pipeline, for example — would be given an exemption from paying ransomware. And of course the problem is that just tells the attackers to concentrate on critical infrastructure.
Terry: The cybercriminals would say, ‘These guys obviously value their data, hit him again.’ … Having the proper technology in place, like endpoint detection and response technology, will help cut down ransomware.
Howard: Ransomware is a really, really serious and sticky problem. And as the people on this panel said, there’s got to be a lot of public discussion on how government and regulators can attack it. I’d like to remind listeners to read the report that was issued earlier this year by the Ransomware Task Force. It should give people some ideas about what they ought to do and what we ought to be publicly debating.