Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, December 9th, 2022. From Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes Terry Cutler of Cyology Labs will join me to discuss some recent news. But first a roundup of some of what happened in the last seven days:
A suspected Chinese-based threat actor was in the IT system of Amnesty International Canada for 17 months before being detected. Terry and I will discuss how hard it is for agencies that rely on donations to have proper cybersecurity.
We’ll also look at the ransomware attack on U.S. hosting provider Rackspace Technologies, and a report from Accenture on the increasing use of malware to get around multifactor authentication.
Google admitted that digital certificates used by some makers of Android handsets were stolen — in some cases years ago — and are being used to validate malicious Android apps. As soon as this was learned Google and the manufacturers took protective action. Google Play Protect can detect the malware if and when users log into the Play store. However, the stolen certificates won’t expire for years. How these digital keys were stolen hasn’t yet been explained.
The free Fosshost service for hosting open-source projects is closing. In an online statement founder Thomas Markey said the volunteer-run service expanded too far and too fast. He admitted to failing to lead the project through some difficult times. The company is helping move customers to new providers.
More data-wiping malware is increasingly being used by threat actors. Researchers at Kaspersky earlier this month said they found one pretending to be ransomware they call CryWiper. Separately, researchers at ESET said they found a new wiper they call Fantasy. Fantasy is an evolution of a previous wiper. Both are believed to have been created by an Iranian-aligned group called Agrius. Organizations victimized so far have been in Israel, South Africa and Hong Kong.
When cyber crooks aren’t busy stealing from consumers, companies and governments they’re stealing from each other. That’s according to researchers at Sophos. They told the Black Hat Europe conference this week that some people on criminal forums fail to deliver promised and paid-for malware, or provide malware with a backdoor the developer can use. And once in a while they blackmail each other. Among the lessons: Arbitration threads on criminal forums can be a valuable source of intelligence to security teams.
December means cybersecurity companies start issuing look-backs at significant events from the past year. One of them is NordPass, which issued its list of worst passwords for 2022. Worst because they’re the most commonly used and therefore most easily guessed by hackers. Once again the leader is the word ‘password.’ Others in the top 10 are 123456, guest, qwerty and 1111111. These would be among the first tried by hackers. If they try to break them, these would only take one second to crumble before today’s computers. Please make your passwords are complex, use a password manager and enable multifactor authentication on any site that offers it.
(The following transcript has been edited for clarity)
Howard: Back with us again from Montreal is Terry Cutler. Good afternoon. We’ll start with the admission by the Canadian branch of Amnesty International that it was hacked by a suspected Chinese-backed group.
Amnesty International, which has 80 offices around the world, is a large human rights nonprofit headquarter in England. It’s Canadian branch is smaller. While the agency wouldn’t tell me how big the Canadian IT department is, we can assume it isn’t large. And like any organization that depends on donations it wouldn’t have a lot of money for cybersecurity. Human rights groups around the world are targets of certain governments who don’t like their advocacy. And among the countries that Amnesty Canada speaks out about is China. So it isn’t uprising that the company that did the forensic audit of the attack concluded it’s likely the threat actor came from China.
What struck me is that the attacker was in Amnesty Canada’s environment for 17 months before being detected.
Terry Cutler: A lot of people don’t realize that the average time that an attacker in your IT system is 286, so 17 months is a problem. Obviously Amnesty Canada didn’t have enough insider threat detection or a response plan to get the hacker out. But the fact that the attacker was in there for 17 months means that he probably made a mistake and set off an alarm. Clearly they [Amnesty Canada] need to look at more of a holistic approach where they’ll have a good look at their IT network, their endpoints and their cloud together. NGOs often work with outsourced IT groups, and the IT guys often say, ‘We’ve got you covered.’ But the IT guys are like your family doctor: You’re not going to ask them to perform laser eye surgery on you. That’s where a cybersecurity group is going to complement them. But as you know, cyber security experts are very expensive. So a lot of times firms don’t have the budget for them. Also, the management and in these organizations feel they don’t have a lot of sensitive information — even though they do — so one’s going to want to hack us. So they protect their IT networks like they protect their home with antivirus and a firewall. They just don’t have enough detection in place. Cybercriminals know this. That’s why they hack into a not-for-profit group and use them as a jump point to attack another company.
You know, had they [Amnesty Canada] done a simple audit they would have seen things like user accounts that still might be active in the IT system that haven’t signed in months or years, or poor patch management, or terrible passwords. They might even see weird logins coming in from unexpected locations or times of the day.
Howard: Amnesty Canada told me the reason they detected this attack was this past summer they started overhauling their IT system and installing some new things. That’s when ah they were able to discover evidence of this attack.
Terry: And that’s the problem: They just have to do the best with what they had at the time. Usually when you install a patch or set up some new security is when the attacker is going to be blocked.
Howard: I was told that there were no data exfiltration tools found in the Amnesty Canada IT system. Can we logically conclude for sure that no data was copied?
Terry: I don’t believe so, because if they just were starting to overhaul their systems there’s a good chance that they didn’t have enough event logs, so they probably would not have known that the attackers were exfiltrating data. Not only that, if the IT guys were receiving a ton of alerts a lot of times they may get alert fatigue. So a lot of times these logs or or event information is not monitored.
Howard: One thing that occurred to me is that the attack was aimed at the Canadian branch as a way to learn what Amnesty’s headquarters is doing. So just by monitoring email or documents the attacker could learn a lot. In other words, it’s like a supply chain attack, only in this case there’s no evidence the IT system of Amnesty’s headquarters was penetrated.
Terry: When we work with not-for-profits they usually have one I guy assigned to the company — and, again he’s an IT guy, not a cyber expert. They often think they just need an antivirus and a firewall and they’re done. Here’s where you should start looking at awareness training for employees because there are so many ways to get into a company: Through leaked passwords on the dark web, the lack of multifactor authentication. Employees need to learn how to spot a phishing email, what not to click on and the dangers of mishandling their information.
Howard: Amnesty Canada said that one of the reasons it went public about this attack is to warn other nonprofits about the importance of cybersecurity. Have you dealt with nonprofits and if so what is their level of security maturity?
Terry: Actually, we have them as clients. Before we brought them into a more holistic monitoring system they were dealing with a ton of problems like tight budgets, shortage of staff, IT guys saying, ‘We got you covered,’ and they deploy EDR (endpoint detection and response). But the thing is, EDR is not going to cover you holistically. There were attacks coming in from the cloud, there was password stuffing of their user accounts on Office 365 — EDR is not going to see that. There were some IoT devices that were infected and beaconing out through their network. Again, EDR is not going to find that. So you need to look at a more holistic solution — on a budget. There are a lot of problems [in nonprofits] but experts are needed to weed out the most common threats.
Howard: The second item we’re going to look at is the ransomware attack on American cloud hosting provider Rackspace. Rackspace cells a number of services including hosted Microsoft Exchange for organizations. Last week that service was knocked offline. We don’t know how the Exchange service was compromised, nor did Rackspace know at the time that we recorded this podcast whether any customer emails or data was copied. Rackspace is helping customers move to the cloud-based Microsoft 365 so their email can continue. But this wasn’t the only recent ransomware attack: A hospital outside of Paris had to shut its IT and phone systems after a ransomware attack over the weekend. Six patients had to be transferred to other hospitals. Terry, we talk a lot about ransomware. What more can you say after another successful ransomware attack?
Terry: We can clearly see that ransomware is not going away. We need better preparation for it, more holistic monitoring [of IT networks]. I keep hammering on this, but it’s true. There’s so many attack vectors that to worry about. And because most companies are short-staffed they need to start looking at partnering with a cybersecurity firm or hire more IT staff. That’s going to put a lot of defenses in place. But, again, will your IT guy be watching your system at 2 a.m. on a Saturday morning? You have to start looking at outsourcing partners. Now, a lot of times they’ll say you need to deploy EDR everywhere. But let me tell you what happened at a company that we dealt with that had EDR everywhere. They got hit with a ransomware attack and it stayed in their system. When you get with ransomware several steps have to happen: You have to disconnect from the internet and rebuild your entire network from scratch. We did that and migrated data from the old network to the new one. And they got ransomed again. So we rebuilt the network again and activated the bridge between the two networks, and got ransomed again. We found out on the third try that the machine that was doing the data migration didn’t have EDR on it. So it still had the ransomware. The other machines with ERD didn’t stop the ransomware attack because it didn’t execute from the box had EDR protection. So you need to make sure that EDR is deployed properly everywhere — and network monitoring as well.
Howard: Just for those who don’t know, EDR is a step up from antivirus EDR is short for endpoint detection and response. Can you give us a little synopsis of EDR technology?
Terry: Traditional antivirus is signature-based. meaning when a virus comes through it recognizes the virus signature and blocks it. But it also has to update its database every couple of hours to state current. EDR detects what’s abnormal [network behavior] and cut off the process.
Howard: One of the things that that one might take away from the Rackspace incident is IT departments shouldn’t recommend hosted third-party applications if the organization goes to the cloud. They should only subscribe to cloud applications that are offered by the original application maker. Is that a good conclusion?
Terry: I used to work for a software vendor called Novell. A third party wanted to host Novel services, versus our engineers were monitoring IT and updating the platform. So my biased approach is, yes, you should be working directly with the application maker. I’ll tell you a real story that happened last year, also, coincidentally, with a not-for-profit. They were using a hosted Office 365 with another hosting provider. It got hacked. The attacker was able to access all of their emails. The attacker also found a bank change form. They found out who the nonprofit’s funding provider, was and they [the attackers] started communicating with the funding agency, creating fake emails to look make it look like a conversation. They said, ‘We’ve been having problems with our Canadian account. Can you please use this form, change the bank information and wire the money to Hong Kong?’ And the financing company accepted it. That’s how the organization lost half a million dollars.
Howard: Ransomware is a problem, and I think not merely ransomware but any malware, if you don’t have end-to-end encryption of all your data. Then a determined hacker will get at it and you’re going to lose at least some of your data. So the best you can do is to limit the amount of data that an attacker can access — or am I wrong on that?
Terry: You’re absolutely right. But the problem is it could be very, very expensive to secure your environment and there’s still no guarantee [you won’t be hacked]. So the goal is to make it as hard as possible for an attacker to get in. Which is why security audits are important. It will show who may have too much data access or if a problem happened with this account. We see often where in small firms or not-for-profits everybody’s trustworthy, everybody gets administrator access. That’s horrible. That means if anybody gets hacked it’ll affect the entire company. You need to limit data access to only those who need it.
Howard: The final news item we’re going to look at is a report from Accenture on a type of malware called an information stealer. This malware goes after victim information like passwords, usernames, cookies and such stored in browsers or email clients, messaging platforms or cryptocurrency wallets. They may also steal logs from multifactor authentication apps. Why? Because employees are increasingly using multifactor authentication to protect their login credentials. So threat actors want this personal information to defeat MFA. One way is by bombarding the smartphones of target individuals with multifactor authentication requests. If the victim gives in and presses OK, under the right conditions the attacker gets control over the smartphone. With a crook authenticated they can launch deeper attacks into an IT environment. Common information stealers that IT departments should be looking out for are called Red Line, Raccoon, Vadar and Taurus. Terry are IT and security teams meeting the challenge of this type of malware?
Terry: It’s very, very difficult. These come in often from phishing attacks. We use the same tactics in a penetration test — we’ll send a phishing email to an employee and if he clicks on it and he has enough access on his computer we can become an insider threat. I could turn on his video camera, turn on the microphone, and extract the passwords from his browser. Or we can even do a pass-the-hash attack where we can log in as a person without ever knowing the password. The key here is really around employee awareness training, especially around MFA. fatigue. This is where you receive repeated messages on your phone asking if you logged in from Montreal. A victim clicks yes, and boom, the attacker is in. This is where IT departments need to start looking at authentication-based apps [instead of receiving SMS confirmation texts] where the user has to type in a password. Awareness training is going to be key.
Howard: The thing is threat actors can buy monthly access to information stealers or they can buy a lifetime licence — and it’s cheap. One information stealer can be had for US$150 a month or US$1,000 for a permanent license.
Terry: We’re also seeing there’s been more leakage of [victim’s stolen] logs on the dark web, which has the information of users and their passwords. This really comes down to awareness training. Also, [IT and security teams] should look at dark web monitoring for their companies. There are services that do it and give an alert the moment an employee’s password has leaked.
Howard: The report notes that in October the U.S. arrested a major player behind the Raccoon stealer and allegedly dismantled the malware’s IT infrastructure. However, someone claimed on an exploit forum that the project is still running.
Terry: We’ve talked about this in various podcasts before that groups are coming and going. But the background players are all usually the same.
Howard: What more should IT and security teams be doing to blunt the threat of information stealers?
Terry: Again, I think dark web monitoring is going to be key to help with some automation. IT also needs to need to start looking at how they set up their MFA authentication mechanisms. Use an authentication-based app instead of push notifications, includes biometrics [for logins] and also look at awareness training especially, around MFA fatigue and social engineering attacks. Users users need to understand how to spot email problems in the ‘From’ address, or it’s addressed to ‘Dear customer,’ and how to hover over a link to show the real domain it goes to. It’s hard to encourage users to learn about these things to protect themselves online … but we need to really keep hammering home on this.