Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, February 3rd, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes David Shipley of Beauceron Security in New Brunswick will be here to discuss recent cybersecurity events. But first a quick look back at headlines from the past seven days:
The 2020 ransomware attack that temporarily crippled a Maryland public school district started with a staff member falling for a phishing email, according to a report released last week. That wasn’t the only human failure. David and I will talk about lessons learned.
We’ll also look at two new pieces of computer-wiping malware from a Russian-based group targeting Ukraine.
We’ll delve into a heated online debate that a misconfiguration of the KeePass password management application could allow anyone to copy supposedly protected passwords.
And David and I will discuss the aftermath of the dismantling of the Hive ransomware gang’s IT infrastructure.
Also in the news, manufacturers of point-of-sale devices have been warned of new malware that defeats the secure tap-and-pay capability of credit and debit cards. Researchers at Kaspersky say the latest version of the Prilex gang’s malware forces customers using infected POS devices to insert their cards into the payment devices. That way the malware can read transaction information hidden when customers wirelessly tap their cards. POS makers and distributors have to combat this advance.
Microsoft has disabled fake partner network accounts created by crooks to enable phishing scams. The crooks were impersonating legitimate companies when enrolling in the partner program. They then used the access to trick firms into granting permission to access fraudulent apps created by the crooks. The goal was to hack companies’ email. Most victims were in the U.K. and Ireland.
QNAP released a fix to close a vulnerability in storage devices that runs its QTS 5.0.1 operating system. It needs to be installed as soon as possible.
GitHub has revoked a number of code signing certificates for some versions GitHub Desktop for Mac and Atom apps. This comes after Microsoft discovered threat actors had stolen the certificates.
And administrators of servers running the Redis in-memory database were warned that a hacking group has been compromising Redis servers for the last 15 months. The group is dubbed HeadCrab and uses malware undetectable by traditional anti-virus, say researchers at Aqua Security. As a result the gang has created a botnet of at least 1,200 servers. Redis should not be exposed directly to the internet.
(The following transcript, which has been edited for clarity, is the first part of our discussion. Play the podcast to hear the entire conversation)
Howard: Let’s start with the report on the 2020 ransomware attack on the Baltimore County Public School system. The county surrounds the city of Baltimore. At the time the system supported 173 schools, 100,000 computers and devices used by 140,000 students, teachers and staff members. The attack started with an educator receiving a phishing message pretending to be from an official of a college. Attached was a supposed invoice. The educator fell for the lure, tried opening the attachment but couldn’t — the report doesn’t say why. That might have stopped things. But the person sent the email to an IT tech liaison person, who then forwarded it to a security contractor. The contractor mistakenly opened the attachment on an unsecured email domain and that triggered the spread of the malware and the eventual ransomware attack. The school board’s antivirus couldn’t detect the malware because the file format wasn’t known. The malware had been programmed to not execute immediately, another reason why it wasn’t detected. But the malware was able to quietly disable critical functions on the IT network that could have prevented the malware from spreading the ransomware. It didn’t help that some of the previous security recommendations by the state’s auditor had NOT been implemented, including moving the board’s publicly accessible database servers to the cloud. Nor had multifactor authentication been implemented. What do you make of this incident?
David Shipley: First, I’m glad that we have the level of transparency with this report. I have no doubt in my mind Baltimore County Public School District is not unique. Think about how every public school district is squeezed for every penny and dollar. None of this [report] surprises me, but all of this transparency can help others learn from this. And let’s be honest: we don’t expect schools to be as secure as we expect banks in critical infrastructure — and criminals know that, have been hammering away at the sector. I really appreciate the transparency. I wish they [the report authors] had gone a little bit further. I’m still confused by what they mean by the [contractor using an] unsecure email domain. I would have much preferred to understand more about the mechanics of this. Was the security consultant’s device connected to the school’s network at the time? And I would love to know what ransomware family this was. I would love to know if the security consultant had elevated privileges? Was a combination of opening it on a device that was connected to the network with elevated privilege that led to this. which is what I currently hypothesize because it just seems incredibly unclear. I did some background research on the total cost of this incident and to date it’s US$10 million — and they’re still not fully recovered … The chain of events is preventable. The question now is, with valuable information will other school districts be given the resources the time and the support to make these changes?
Howard: It sounded like from this report that the school board had two email networks. One of them was secured and one wasn’t secured. Is this common? Is this good practice?
David: This is where the report doesn’t help. I don’t think that it’s terribly common, and I don’t think it’s necessarily what they intended. I think this [synopsis] is the potential [broken] telephone effect of highly technical expertise and forensic reports hitting kind of a bureaucratic process. It would be weird to have two entirely separate email systems, one of which if you compromise you sink the battleship. That’s unusual.
Howard: Coincidentally, because this is about a human failure in someone falling for a phishing scam, this week Terranova Security released the results of its annual Gone Phishing Tournament, which is an international test of how many employees will fall for a phishing test. This year’s test was a supposed gift card offer Seven per cent of people clicked on the link to see more information. And three per cent of those people actually entered their company credentials to get the supposed gift card — which, of course, is an absolute violation of security awareness training. That three per cent failure rate is actually good news. Because more people fell for tricks in previous tests. So the failure rate has gone down. But even still, if you think about it in a company of 100 employees three would have given away their passwords had this test been real.
David: The challenge with phishing remains. By the way, criminals know this: Phishing attacks were up 61 per cent in the fourth quarter of 2022. The sophistication of phishing attacks continues to escalate. We’ve done research with millions of phishes is we know that if an organization does not educate their employees about phishing and doesn’t do phishing simulations on a regular basis their click rate can be as high as 33 per cent. So it doesn’t surprise me the click rate on a per template basis varies dramatically so like this. A seven per cent click rate is cool. But if you put a little bit more effort, like the manager’s name into the [test phishing] email template you wouldn’t believe the additional impact [in staff falling for the lure].
Howard: Here’s something else: The malware did not corrupt the Baltimore County school board’s backup files. But when IT tried to use the latest backup some of the files relating to the HR department and staff payroll were unreadable or damaged. So the school board IT department had to use a one-year-old backup file — which of course didn’t have the latest HR and payroll information.
David: It’s so critical to have exercises where on a quarterly basis you actually try to recover something from your backups. Rotate through your critical systems and try your backups at depth. This has to be part of the routine maintenance and process of maintaining backups. You cannot assume that automated systems are always going to work. Change happens. Drift happens within technology, and if you don’t pay attention it will catch you. Badly.
Howard: The report recommends the school board do things that every IT pro should know: Follow the 3-2-1 backup rule, which is three copies of data on two different devices with one stored offsite; use cloud backups with intelligence; do regular backup tests and have security awareness training for staff.
David: These are all the good basics. The other part that I think needs to be included in these recommendations is that the senior leadership of school districts need to practice tabletop cyber attack scenarios annually. Work through a ransomware incident, work through a staff member going rogue etc. You’ll realize gaps in your technology processes … The reality is education is under attack and it’s going to remain under attack. The only way it’s going to change is if the sector increases its vigilance.
Howard: This reminds me of another news story this week: A senior Microsoft security official told a CISO conference in Toronto that many cyber attacks are successful because firms haven’t implemented cyber security basics like limiting privileged access and using multifactor authentication.
David: Cybersecurity isn’t a story about the lack of technology controls. We have thousands of vendors offering thousands of ways to reduce risk for organizations. But it goes back to people processing culture. Are we giving IT teams the time to set these up? Are they getting the political buy-in from management? The greatest barrier to multifactor authentication is not cost or technology. You can afford a decent MFA from a variety of different providers — and honestly, if you can’t afford it you should re-evaluate what you’re doing because it’s less than a cup of coffee. The biggest barrier is people don’t want to be inconvenienced; they resist change. They only want to apply it to certain groups. The biggest barrier to security is culture and process.