Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, November 11th, 2022. From Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes Terry Cutler of Cyology Labs in Montreal will join me to discuss some of what’s been going recently on in cybersecurity. But first a review of the headlines from the past seven days:
Canadian police arrested a man believed to be involved in the LockBit ransomware gang. The investigation also involved police from France and the FBI. The arrest was made in October but only announced on Thursday. Terry and I will discuss possible implications.
The arrest is the result of the capture of two suspects in Ukraine in October. Separately, Ukraine said it broke up a fraud ring operating in two cities that tricked victims in Europe into buying fake investments in cryptocurrency, stocks and bonds.
Terry and I will also discuss the decision of the UK government’s cyber agency to scan all internet-connected devices in the country for vulnerabilities. We’ll look at the settlement of a huge cyber insurance claim as well as how IT leaders should budget for cybersecurity.
News came out of a new strain of malware that overwrites data of corporate victims. The operators call their malware Azov Ransomware. But there’s no way listed in the ransom note to contact the operator to get a key for unlocking the damage. So this destructive weapon is more properly called a data wiper.
Citrix urged administrators to quickly install security patches for some of its customer-managed Gateway and ADC products. They close vulnerabilities that could allow remote desktop takeover from a phishing attack and brute force login attacks.
In July an industrial control manufacturer called ABB released new firmware for its TotalFlow oil and gas flow computers and controllers. This week we found out why: Researchers at Claroty tipped the company off to a high-severity path-transversal vulnerability that an attacker could exploit to gain root access to the devices. Utilities using the devices should have installed the update by now.
VMware released urgent security patches for its Workspace One suite.
And hackers began releasing on a dark web site the medical records of Australians stolen from a health insurer called Medibank. The data is just a sample of the millions of personal records stolen.
(The following transcript has been edited for clarity)
Howard: Terry Cutler is now joining us from Montreal. Just before we were to record this episode on Thursday news broke that police in Canada arrersted a man believed to be part of the LockBit ransomware gang. It isn’t clear from the initial statements from police if he is one of the operators or an affiliate who breaks into IT networks and deploys the ransomware. It’s not clear if he will face trial in Canada or in the U.S. American officials say he faces extradition. This is good news.
Terry Cutler: It is. Are the tables finally turning here? This is a significant ransomware gang, so we’ll be anxious to see what happens.
Howard: Certainly the computers and the hard drives that police allegedly seized from his home could yield a lot of information.
Terry: Absolutely. They found eight computers and like 400,000 in cryptocurrency. I’m just surprised that you know he could face a maximum of 5 years in prison.
Howard: That’s in the U.S., and those are the initial charges that were laid against him based on I guess the information that police had at the time. Perhaps that was before the seizure of the computers. So once they’ve got him into the U.S. perhaps he would face more charges. As of the time we recorded this podcast I hadn’t seen a statement from Canada on possible charges that he would face here first. But the arrest shows that police around the world continue to go after threat actors and international co-operation Is showing results.
Terry: Ransomware is the number one form of online extortion, and police are receiving so much pressure right now from industry that you know they can’t find attackers. Obviously it’s very very hard to break up these gangs because there’s so much anonymity online.
Howard: Meanwhile, in addition to the efforts that police are making it would certainly help if IT and security departments did their part by improving cyber security at their organizations. What I’m talking about is making sure applications are patched quickly, that employees use multifactor authentication so It isn’t enough of a crook has a password and a user name, and that data is segregated and encrypted data in case a hacker does get through defences.
Terry: When I was with the FBI a couple of weeks ago they were really hinting that if you are a victim of a ransomware attack you should contact law enforcement because they’re going to going to collect evidence they could use to help investigations and bring some of these gangs down. Probably seven out of 10 companies don’t disclose that they’ve been breached. They need to start sharing more information.
Howard: Next, we’re going to turn to the latest news in cyber insurance. Snack food giant Mondelez International — the maker of Oreo cookies and chewing gum — has settled with Zurich American Insurance over losses that Mondelez suffered in the 2017 NotPetya destructive worm attack. For those who don’t remember, NotPetay is believed to have been deployed by a Russian-based threat actor initially targeting the update mechanism of a Ukrainian income tax preparation program. However, instead of being confined to Ukraine this worm spread around the world, damaging some of the biggest companies. Mondelez said it caused the company $100 million in damages and demanded that Zurich pay under its insurance coverage. That policy covered all risks of physical loss or damage to Mondelez property including physical loss or damage to electronic data programs or software. However, Zurich refused to pay citing the incident as an act of war. We don’t know how much the two sides settled for.
However, one factor that might have played a role in persuading the insurance company to settle was a January decision by a New Jersey court in a lawsuit between pharmaceutical giant Merk and its insurers over damage caused by NotPetya. The insurance policy was different but the insurers claimed the same act of war exemption. However, the judge in that case ruled that the war exclusion only applies to physical war. Merk’s insurance policy didn’t make it clear that cyber attacks were covered. By the way that decision is being appealed.
When you heard about the Mondelez settlement what did you think?
Terry: I’m hearing more and more cyber insurance companies don’t want to pay out for acts of war because there are so much new and evolving cyber threats. Insurers are asking how much they can pay because they’re losing five dollars for every dollar they’re getting in premiums. A lot of folks don’t really understand what cyber insurance does. It’s designed to protect your business from the costs of data breaches. But cyber insurance comes in different flavors and sizes. Some policies only cover the results of a data breach, while others will cover a bigger spectrum of costs. … Some types of insurance provides first-party coverage that’ll financially protect your company from embezzlement or scams or lost payrolls but won’t cover ransomware. That’s first-party coverage.
Then you have what’s called cyber liability, That’ll help protect against costs relating to customer notification, credit card monitoring, legal fees and fines. The third coverage includes cyber extortion or ransomware. This type of coverage is supposed to cover problems including costs of negotiations, acts of war, forensics, and rebuilding of your systems. But you need to prove to the insurance carrier that you did everything you could to help prevent this attack … We’re starting to see more insurance companies making changes to what they’re covering under their cyber insurance policy.
Howard: Certainly firms that offer cyber insurance are being more careful with the wording of their policies. In August Lloyd’s of London said insurance firms selling through its platform should rewrite their policies coming into effect net March to be clear that state-sponsored cyber attacks won’t be covered. That only covers firms who go through Lloyd’s but still that’s a big number of of insurers.
Terry: I think this is going to turn into a money grab because customers are going to think that they’re covered, only to find out that they aren’t because their incident is a so-called act of war.
NoPetya took advantage of a zero-day flaw in Microsoft Windows, also called the Eternal Blue vulnerability. A patch came out in 2017 to address that. But believe it or not whenever we do penetration tests we still come across this unpatched vulnerability. People are not updating their systems properly. Just because you’re a small business doesn’t mean cybercriminals are not going to target you.
Howard: In a white paper released this week insurer Swiss Re said that last year globally organizations paid $10 million for cyber insurance coverage. However, insurance firms paid out $945 million dollars in claims. That’s obviously sustainable. Small wonder that cyber insurance premiums have jumped and coverage is more limited.
Terry: Because they’re tired of losing $5 for every dollar they get. Companies use insurance as their scapegoat rather than securing their systems. And they also believe that an attack will never happen to them.
Let me tell you a couple of myths about cyber insurance. A lot of times companies will say, ‘All I need for my small business is this insurance plan,’ but you’ll only be covered if you done cybersecurity measures stipulated in your contract. It’s very unlikely that your application will be accepted if you’re not compliant with that. They’ll ask you have two-step verification for logins, do you have network monitoring … We work sometimes with cyber insurance companies to audit organizations [applying for insurance]. That’s how they can tell if there’s lying on the application.
Howard: Swiss Re is suggesting three ways to keep a lid on premiums because cyber risks are hard to quantify. There should be new cyber security standards to improve the cyber data that insurers get, which would allow them to better judge the risk when they price policies; they suggest insurance policies should be clearer about the responsibilities of policyholders in a cyber attack; and they also suggest that there should be more sharing of risks by setting up public-private insurance plans for companies, particularly in critical infrastructure sectors that may be hard to insure. Interestingly, an Ontario expert panel on cyber security in the broader public sector suggested that the province look into creating government-backed cyber insurance for municipalities, school boards and hospitals.
Terry: I think companies are budgeting more towards cyber insurance than they are budgeting for their cybersecurity posture. Let me give example: If a company gets breached and claims $5,000 the insurance company is going to gladly pay this out — but will jack up their prices for the next year. All of a sudden if a client claims $15 million the insurance company will ask, ‘Did this company do everything they could to protect their business?’ and it gets fought out in court.
Howard: I think the bottom line is if you want Cyber insurance you better have a lawyer closely look at what is and isn’t covered.
Let’s move on to look at a unique way the United Kingdom is defending businesses and individuals against cyber attack. The government’s National Cyber Security Center has started scanning any internet-accessible system that’s hosted in the U.K. for software vulnerabilities. The center doesn’t go into the networks of organizations. It’s looking for patched unpatched or old applications that can be seen through a scan with tools like Shodan. The goal is to get a picture of how many devices across the country are vulnerable to attack. Broad results of scans will be made public. It sounds like the sender would say X percent of servers in the United Kingdom still haven’t been patched for the 123 vulnerability. So get cracking.’ Organizations can opt out of being scanned. Is this something that should be copied by the Canadian Centre for Cyber Security or the U.S. Cybersecurity Infrastructure Security Agency?
Terry: Companies are being scanned all the time by the bad guys and the only difference here is that the bad guys are not going to give you a report that you’re vulnerable. So I think it’s a good thing. The more help the better. But sometimes IT systems cannot be upgraded or patched because they’re too old, or patching might break software functionality, or IT doesn’t have the resources to implement it. Whatever the reason, though, we need to get better at protecting our systems.
Howard: I’m not sure how well this would go in Canada or the U.S. because there are lots of people who don’t like governments. Two years ago there was an uproar when Statistics Canada was looking for more accurate data on household spending and asked banks to hand over payment transaction information of customers including their names. That was not necessarily smart. Statistics Canada backed off.
The UK and its scanning isn’t collecting names and addresses. But it will have the IP addresses of systems that they’re scanning and you know that could be translated into a physical business address. If a hacker gets a hold of that database it would know who to attack and how.
I’ve seen one suggestion that says broad scanning like this is a good idea but ought to be done by independent organizations like internet service providers rather than a government agency.
Terry: And what’s really great about that is that the internet service providers can see a lot of ground what’s happening on the internet. They see all the communications going in and out.
Howard: Finally, let’s talk about how IT leaders budget for cyber security. Many companies may be thinking about this now because their fiscal year starts in January, but they may also be thinking of it because of the state of the economy. This week OpenText released a survey of small and medium-sized companies on a variety of issues. Sixty-seven per cent of respondents said their firm spends less than $50,000 annually on cyber security. Fifty-nine per cent of respondents said they plan to increase their security budget for 2023 — but almost the same number fear that inflation is going to lead to budget cuts. So What should IT leaders be thinking of these days when it comes to drafting a budget?
Terry: The first thing they need to know is times have changed. Gone are the days when you just needed a firewall, encryption and an antivirus. Those are traditional cyber security technologies that can be easily bypassed … First, a lot of companies have way too many security tools that were never built to work together. They need to look at software that allows them to have a centralized view from the network endpoint and the cloud into one dashboard. They also need to also invest in better antivirus technology … And you really need to look at more holistic solutions. If you don’t have the resources and time to deal with cyber attacks outsource that capability to other folks. That’s where automation [of tasks] can be key.