Welcome to Cyber Security Today. This is the Week in Review editon for the week ending Friday June 10th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by Terry Cutler, head of Montreal’s Cyology Labs, to discuss some of what’s been happening recently. But first a look back at headlines from the past seven days:
The LockBit ransomware gang claimed it had stolen data for sale from cybersecurity provider Mandiant, a claim that was quickly denied. What’s going on? Terry has some thoughts. We’ll also look at reports from security researchers on a new pressure strategy on organizations by cybercrooks, and the discovery of over 1,000 Elasticsearch databases online whose content has been replaced with ransom notes.
Elsewhere, the annual RSA security conference was held this week in San Francisco. At a roundtable with reporters the NSA’s director of cybersecurity said the U.S. electronic spy agency is worried ransomware and botnet attacks could be used in November’s midterm elections to erode confidence in U.S. elections. Separately an FBI official told the conference that Chinese hackers have stepped up their probes against the U.S. tech sector since Russia’s invasion of Ukraine.
The United States this week seized the websites of the SSNDOB Marketplace, which sold stolen Social Security numbers and dates of birth of U.S. residents. Over the years the sites listed information on about 24 million people in the U.S. Authorities said the site generated more than US$19 million in sales. The takedown was accomplished with help from law enforcement authorities in Cyprus and Latvia.
A New England medical imaging provider is notifying 2 million Americans that their personal data may be at risk after a data breach.
Security analysts at the SANS Institute warn an unpatched vulnerability in Microsoft’s Support Diagnostic Tool is something Windows administrators need to act on. The flaw, called Follina, can be exploited through a malicious Word document.
And U.S. agencies warned that Chinese-sponsored hacking groups are still exploiting unpatched and publicly-known vulnerabilities in devices from Cisco Systems, Citrix, D-Link, Fortinet, Netgear, Pulse and other network equipment providers to get into IT systems. Patches have been issued for these holes. There’s no excuse for network administrators not to have installed them by now.
(The following transcript has been edited for clarity. To hear the full conversation play the podcast)
Howard: Let’s start by looking at the LockBit ransomware gang’s claim on Monday that it has stolen data from security provider Mandiant for sale. Mandiant denies there’s been a data theft. It could be a coincidence, but LockBit’s claim came out as the annual RSA Conference in San Francisco started. Assuming the data theft is true the goal might have been to embarrass a big company at a big event. Another possibility is LockBit was taking advantage of a Mandiant report the week before that suggested that threat groups are moving to use the Lockbit strain. Terry, what do you think is going on?
Terry Cutler: I think the timing is very interesting because of the RSA Conference. Pretty much all eyes are on RSA, obviously. I think they’re being made to get embarrassed. But at the same time, it’s a PR nightmare because now the supposed hack is overshadowing their brand.
Howard: A researcher at Emsisoft suggested that if it is true that LockBit has some Mandiant files they might have gotten them through hacking another company, not necessarily Mandiant itself.
Terry: We see this repeatedly. It could be a partner that Mandiant works with that has too much access into the Mandiant system. Over time we see a lot of companies that have no [network] monitoring in place, they have bad patching, they have no [intrusion] detection technology, or a partner is no longer working there but their account is still active. There’s also good chance that Mandiant asked for proof of life of the [allegedly stolen] files.
Howard: LockBit is becoming one of the most prominent ransomware groups at least by the number of claimed victims on its data leak site. According to a report from researchers at Kala during the first quarter of this year LockBit claimed it had 226 victims, and that’s second to the Conti group. This report also noted the difficulty, though, of trusting data leak site claims. For example, in January Conti claimed that it hit a U.S. auto dealership and In March the same company was listed on another ransomware gang site and it was listed on a third gang’s site in April. This raises an interesting question: Are gangs co-operating or are they fighting with each other?
Terry: It wouldn’t surprise me if the members are actually overlapping. That way they can actually double-dip. Ransomware gangs actually have a shortage of staff, as well. Last year some of the members of Conti leaked some documents that actually showed some of these groups have an HR department. There’s performance reviews and they even have an employee-of-the-month program. Someone even leaked the Conti ransomware source code.
Howard: The other thing that came out of this report from Kela is that ransomware and data theft gangs have a new strategy: They publish a description of a victim organization but not its name, so if the organization doesn’t pay a ransom for decryption keys or return of data then it would be named. The goal, apparently, is to give the victim company an opportunity to quickly pay up before facing public embarrassment. Here’s an example: The Everest gang listed an unnamed Canadian company in British Columbia as a victim, claiming that it has 96 gigabytes of their data with personal records. Is this a good strategy by a criminal gang?
Terry: How noble of them. This does give victims a bit of breathing room to figure out what was taken, instead of them dealing with chaos trying to find their incident response plan and trying to pay the group …
Howard: There’s no shortage of threat intelligence companies looking into ransomware gangs and their attack patterns. I mention that because also this week security researchers at a company called Black Kite released a report on 21 new victims that the Clop Ransomware gang recently listed on their site. When the researchers scanned the websites of those organizations that were claimed to be victims it found evidence that they weren’t very prepared for cyber attacks. Eighty per cent of the organizations had critical ports left open, 40 per cent had open remote administration ports, 25 per cent had critical vulnerabilities, 45 per cent had leaked credentials These problems may not have been the way the Clop gang got into some or all of these companies. But doesn’t that quick scan suggest that departments still aren’t locking down their infrastructure?
Terry: Yeah, because IT guys aren’t really trained to be cyber security experts. They don’t have the proper tools in place or they lack training or expertise … so it’s important that they at least have a proper strategy in place to at least learn how to scan their environment themselves to detect vulnerabilities that exist.
Howard: So tell me what does a company do when a threat group claims that it has some of their data, but there’s no immediate evidence of a hack?
Terry: I think it becomes a big PR nightmare. It could hurt your brand because what’s happening is you’re being accused of getting hacked without any evidence. So during this time the company has to deal with really bad press. Reporters are constantly trying to get information out of them. And as I mentioned earlier, when a ransomware group comes to you and says ‘We have your stuff you’ve been hacked.’ It’s just a chaotic mess.
Howard: But it isn’t necessarily an immediate PR problem. It only becomes a problem if you refuse to pay and then they release your organization’s name. That increases the squeeze on you. Isn’t that the way it works?
Terry: Yes, but there are also reporters that are linked to the Dark Web, where the moment that that data gets leaked there reporters will have a view — sometimes before the company does.
Howard: Which which all comes back to you’ve got to have a data breach response strategy. You’ve got to be thinking in advance of what may happen and what’s your playbook.
Terry: Again, it comes down to it’s not a matter of if but when[your firm is hacked], so you need to have a proper playbook in place and to make sure your backups are secure. That’s the 3-2-1 backup strategy that we spoke about in previous podcasts [Have 3 copies of your data: — the production data and two backup copies on two different media (disk and tape) with one copy stored off-site].
Howard: I want to move to another report about problems with unsecured instances of Elasticsearch databases. This relates to what we’ve been talking about before, which is data being held for ransom. Researchers at Secureworks said they found a number of Elasticsearch databases where the data has been replaced [by a hacker] with a ransom note that demands payment in bitcoin to get the data back. I’ve reported before on problems with people using Elasticsearch. For those of you who don’t know, Elasticsearch is a search engine that approved employees — and maybe some who aren’t approved — can use it to search across an organization’s entire store of structured and unstructured data. They may want to get insight about customer sales. However, if the resulting search file is left open to the internet — that is, it’s not secured by a password or by encryption — then any crook can find and copy the search results. The original data may be secure. It’s the Elasticsearch copy that’s not. And in this case, the researchers found 1,200 Elasticsearch databases around the world that included a ransom note. What do you make of this?
Terry: It’s important that the IT department gets up to speed with some of the documentation on how to secure these platforms. It’s similar to what’s happened with MongoDB databases … One way to find out if you’re being extorted is to look inside the cybercriminals’ bitcoin wallet [where they demand the ransom be sent]. If you see it at zero then you know that these campaigns usually are just a hoax.
Howard: According to this report the two digital wallets that the thieves have listed for where the bitcoin payments should go are empty. And that suggests that even though 1,200 Elasticsearch databases have had a ransom note inserted in this campaign so far has been a failure.
Terry: But it could also be that they may have backup plans to avoid U.S. [bitcoin transfer] sanctions.
Howard: This comes back to the question of how IT leaders can set enforceable data handling policies for employees. We’ll assume for the moment that the organization allows employees to use Elasticsearch to do searches. How does the company enforce security on the resulting searches?
Terry: I think that the cyber security landscape today is changing so fast the ability for companies of all sizes to be secure is becoming increasingly difficult. They don’t have enough resources, they’re obviously not looking at the proper documentation to secure the environment. They’re overworked and undertrained. Right now cyber security is a real mess. The best solution is outsourcing security to firms that have specialized staff.
Howard: The final story that we want to look at today is one that you had pointed out, the awarding of $1 million in grants this week by the Gula Tech Foundation to groups to help diversify boards of directors. The idea is more women and more people of colour with cyber security expertise should be on boards.
Terry: I think it’s a great thing. The challenge is that cyber security is not a very sexy field. It’s kind of like being a bricklayer: You’re going to have more men in bricklaying than women. Most of the women we see end up in the marketing department or in VP roles and not necessarily doing the technical pieces. So these grants are going to be very important for those that are serious about this. They’ll become advisors that help point businesses in the right way.
Howard: What’s your sense of boards’ ability to understand cyber security issues?
Terry: In one word, they’re overwhelmed. They know how to run a business. They know how advise on business. But they have very, very little real knowledge around cybersecurity. There are always gaps in their knowledge of compliance, and there’s a lack of resources. Not to mention that technology’s changing all the time.
Last, I hear you have a free mobile app to help fight fraud.
Terry: It’s been seven years in the making and about nine months in development. I wanted to build a mobile app that would allow me to educate consumers around fraud and scams that they should be watching out for. The new app is called Fraudster, and it’s available for both Apple and Android so you can check it out at http://www.fraudsterapp.com or type in Fraudster at your app store. The purpose of this app originally was to help consumers to stay safe online. There’s also a business component where they can learn how to secure their firms. they get alerted via push notifications on what to look out for.