Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, September 2nd. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by Terry Cutler, head of Montreal’s Cyology Labs, to talk about some of the news from the past seven days. First, here’s a roundup:
More information is coming out about the impact of the successful text-based phishing attack against messaging provider Twilio. Last week identity security provider Okta said the hackers stole some SMS text-based one-time passwords of customers, and we learned hackers also compromised the Authy multifactor setup accounts of some of users. Terry and I will look at the widespread impact of this attack.
We’ll also examine how a university student fell for an email job offer scam.
And because yesterday was International Women in Cyber Day, Terry will have thoughts on encouraging more women to enter the profession.
Also this week, we learned attackers are finding new ways to leverage the Log4j2 vulnerability. Microsoft warned that a hacking group has found and is trying to exploit vulnerabilities in unpatched service and help desk software made by an Israeli company called SysAid. According to experts at the SANS Institute, the group behind this, suspected of being linked to Iran, has been known to target VMWare instances for this vulnerability. IT departments that use SysAid should have installed the patch to fix the Log4j2 vulnerability long ago.
In ransomware news, the Karakurt gang is taking credit for an attack on the International Centre for Migration Policy Development, a humanitarian group. The agency acknowledges the attackers got “limited access” to its servers. Karakurt says it copied personal information, financial documents and banking information.
Also hit by ransomware was an unnamed government service provided by the government of Chile. The country’s computer emergency response team said the ransomware hit Microsoft and VMWare ESXi servers in the institution.
And the Balkan country of Montenegro says 150 workstations in 10 government departments were infected with the Cuba strain of ransomware.
Finally, the city of Lexington, Kentucky admitted it was tricked into sending US$4 million in federal housing assistance funds to a crook’s bank account in an email fraud scheme. A crook sent an email to the city pretending to be from a local housing group. It asked that funds be sent to a bank account different from the usual one the housing group uses for receiving housing funds. A municipal employee complied.
(The following transcript has been edited for clarity)
Howard: Joining us now from Montreal is Terry Cutler. Let’s start with International Women in Cyber Day, which was September 1st. However, because that can be a civic holiday in a number of countries it’s being formally celebrated in events throughout the month. IT in general is heavily populated by men, and cybersecurity even more so. How do managers encourage more young women to enter the profession?
Terry: I got to experience some of that when I was a judge for the Top Women in Cybersecurity for IT World Canada in 2020. A lot of nominations came but there was always a question in my mind why aren’t there enough women in this field? I reached out to a bunch of them to get their take and the common theme was there’s some bullying that goes on, they often don’t get invited to meetings, there are a lot of haters. But in my experience when working with them on projects they’re great multitaskers. They’re great investigators. They pay attention to detail. I’ll give you an example: I did a penetration test on a company and brought in two other experts, one of whom was a female. They a different way of thinking than men. We were trying to troubleshoot one way to break in and she said we should do it this way. Sure enough, it worked. Sometimes men overthink. I think the message here for the guys is to give women a chance to shine.
One tip I can give to the women from being a judge on that panel is was it was really hard for me to find out online what they were doing. They weren’t putting out a lot of content as blog or video authors. So one thing I suggest is they should put out more content about how to protect a business. That’s going to grow your brand and propel you to the top of the list very quickly.
Howard: A number of women who I spoke to for an article on IT World Canada this week on women in cybersecurity and their careers, and a number of them spoke about important it is in staff meetings to speak up. They also said when the opportunity comes to take new jobs or a task or be promoted to say yes.
Terry: There are women that are running departments at very large companies like telecoms that handle $100 million portfolios. These positions exist, so women shouldn’t be afraid to step up and speak up.
Howard: We talk a lot about a cyber security shortage of talent — There are thousands of jobs open in security departments across Canada and the United States. IT leaders, security officers are looking for talent. They can recruit from within. They can find women who are, for example, working for IT support, and customer support. They have some IT knowledge, they can be pulled into the cyber security department and with a bit of training they can be valuable staff.
Terry: Absolutely. And that’s the key — they have a bit of an IT background. Usually when women go into the workforce cybersecurity or IT is not exactly their number one choice. They’ve got to be techies at heart. They can’t just be forced into this industry. They’re not going to like it but those that already love the tech side and have some IT knowledge and background to start off are in a really good position to move up very quickly.
Howard: Would it help if public schools exposed women — and men — to IT topics and such as application coding early in school? In Ontario they just announced they’re going to start teaching kids in grade one how to code. Will that help not only get more women in IT but also a more diverse workforce?
Terry: Absolutely. The longer the younger folks can learn about tech and coding the better it is. And if you understand English, French and coding you are in a really great spot. But coding and tech don’t interest everyone. The issue I’m seeing also in university is the curriculum isn’t always up to date. My experience when I hired an intern was she’d spent three years learning [IT] from PowerPoint. I had to lose about a month getting ramped up. Schools need to be more organized, partner up with cyber security experts to keep the content refreshed and current.
Howard: Here’s something interesting: For that article I interviewed a woman who is a cybersecurity professor at the University of Phoenix who also has a full-time job as a consultant for a cyber security company. The reason is that university has a rule that all faculty have to have jobs in their related field as well as teach. They can’t be full-time faculty members. That’s supposed to allow professors to pull in real-world work they do into their teachings so their courses are up to date.
Terry: That’s really, really great. The problem is some senior cybersecurity folks don’t always have the time to teach as well. That’s why the future, I think, is going to be online teaching, where we can send in pre-recorded content students can watch, and maybe ask questions on a live Zoom.
Howard: Item 2: More news about the impact of the phishing attack discovered at the beginning of August on Twilio. For those who don’t know, many companies use Twilio’s communications platform in their messaging. This was a supply chain attack. It hit one company to get the tools to get into many others. The attacks started with the hackers sending text-based messages to Twilio employees asking them to either confirm their login credentials or allow a change in their calendar, and they had to click on a link to log in. They had to include their two-factor authentication codes. the attackers then got a hold of the employee’s credentials and that led to getting hold of the credentials of users of the Okta identity service to hack into more companies, such as DoorDash, Digital Ocean and Signal. By one security firm’s estimate, the threat actor behind this stole over 9,000 user credentials from 136 companies in countries all over the world. Most companies hit were IT software development and cloud services. Not only were SMS two-factor authentication codes stolen the hackers also compromised the accounts of some people who use Twilio’s Authy multifactor authentication app. Note in this case it wasn’t the app that was compromised but users accounts. The hackers added smartphones to victims’ accounts so the extra multifactor authentication code went to their phones and not the victims and then attackers could then use that combination of codes and credentials to log in.
Terry: It goes to show that [text-based] two-factor authentication isn’t as foolproof as as we thought. We known for years that it’s vulnerable, but it’s better than nothing. Over the years we’re finding hackers are getting much more resourceful and try to find out as much as possible about the target before launching an attack. We know the first phase of any cyber attack is the recon phase, or the footprinting. They want to build their battle map of of how they’re going to attack companies, so they want to know everything — what the company specializes in, where it’s based, how many employees they have, their ISP, who the vendors are — that’s how they’re able to successfully send in these types of phishing attacks. There’s been some new methods now of bypassing two-factor authentication. Threat actors register a domain that it’s going to look like yours and create a phishing lure with a link where you don’t only have to type in your two-step verification right away — like what happened here. It was pretty obvious [it was a scam]: That should have been a flag — why am I asked for my two-step verification upfront? But the [fake] login page looks completely legit. So as you type in your password it’s then going to prompt you on your phone for the two-step verification. Then they get a copy of the token, replay it and log in as you. Then the threat actor can disable two-step verification and change the password and take over the account.
Howard: This incident again shows the weakness of SMS text-based messaging for two-factor authentication. We’ve said before text-based two-factor authentication is better than none. But even better is the mobile app-based system such as Google Authenticator or Authy or Cisco Systems’ Duo where it’s harder to um to intercept the code. But this particular scam showed — as I think we’ve discussed before — the way to get around a strong multifactor authentication is to compromise the account of the user. So the attacker adds an extra phone unknown to the victim and then the codes go to that phone, so the threat actor has bypassed protection.
Terry: That’s why SMS is one of the most non-secure messaging systems out there. The goal is to move away from that and stick with authenticator apps.
Howard: Item 3: A university student was victimized by a sophisticated fake job offer scam. The hacker noticed that this person had a profile with an IT background on the AngelList social media site, found the victim’s email address and sent them a fake job offer from well-known cybersecurity firm Splunk. The victim was asked to do a Skype interview with a supposed HR person. They got a job offer, and then did an online interview with the supposed CIO. And here’s where the scam cost the victim: The CIO said they would pay for the victim to get new computer gear for their home office if the victim registered their credit card with their company account so that they’d be reimbursed. The victim had to buy the computer gear at an Apple store, ship it to an address where supposedly Splunk would install security software and then it would ship the gear back to the victim. Well, that computer gear went to the fraudster as well as the victim’s credit card. This is another example of how crooks take advantage of the fact that today lots of job interviews are done online, especially because of the pandemic.
Terry: This is a really crazy one. We dealt with a scam similar to this in 2020. A large retailer was mass hiring for their warehouses and the scammers duplicated their job application system. Next thing you know applicants were applying to the wrong website. The threat actor said, ‘You qualify, but you need to buy some equipment from a certain site and we’ll reimburse you for. They even sent fake quotes from the retailer. It looked completely legit. But they were buying the gear for the scammers.
Howard: For one thing no legitimate company is going to say, ‘We’re going to reimburse you for your expenses, but the way this starts off is you give us your credit card .’ That should be a tip-off. The other thing is the victim tried to verify that the people she was talking to were real. She looked up online the name of the HR person who she was going to have an interview with, and sure enough, Splunk had a real employee with that name. The problem is that doesn’t guarantee that the person that she was talking to was that employee.
Terry: They’re going to great lengths now to make sure the scam is as legit as possible. The key takeaway here is no one’s going ask you to purchase large amounts of gift cards or a large amount of equipment then and then send it off to them. If you’re really hired they will send you a laptop. So education’s key.
Howard: What should online job hunters do to protect themselves from being scammed?
Terry: Companies need to find out if scammers are setting up fake accounts with their name. One tip is to set up Google alerts that trigger so whenever your firm’s name is mentioned anywhere in Google you’ll receive an email. If somebody creates a fake profile with your firm’s name on it and it gets indexed Google will show you that alert and send you the link to where it is. I mentioned I think in a previous podcast where somebody created a fake profile with my name and photo and scammed a woman out of $60,000 in a romance scam. Unfortunately Google didn’t index that fast enough. I found out later on that that my profile was being used.
Howard: The last item we’re going to look at is a highly-targeted phishing scam that was pulled off down under. Some group — likely a nation-state — emailed government officials in Australia as well as members of the media and certain companies pretending to be with a news site called Australian Morning News. In their emails the attacker pretended to be reporters doing research or they asked for advice on improving the news. Their emails included a link to the news site, which was a realistic-looking fake website called Australian Morning News that had stories copied from other news agencies. The goal of the scam was to get victims to click on the link in the email and go to that website, where their computers would be infected. Briefly, that’s called a drive-by attack. Aside from being insulted that my profession is being abused this way, this scam shows a lot of work.
Terry: The scammer might have wanted to build a list of infected computers to be part of a botnet and commit crime. But what could also happen is they would run an exploit against the computer to find anything vulnerable in the user’s browser to steal the passwords, maybe turn on the computer’s camera or microphone or harvest as much information as possible. Maybe launch a ransomware attack. They say curiosity killed the cat. So victims say, ‘Who is this news firm reaching out to me?’ Of course they’re going to click it, because there’s no sense of urgency in the email.
Howard: The suspicion is that because many of the people targeted work for the government of Australia or they worked for defence contractors that this was an espionage scam. And the thing is reporters do email government and corporate officials they’ve never met asking for comment if they want to contribute an article to their publication. So those getting these requests have got a tough choice: If you don’t want to click on a link in an email from someone you’ve never met what do you do? Google the name of the news publication to see if it’s real. But in this case they would have found a link and they would have gone directly to the fake website. That’s presumably the safe thing to do instead of clicking on a link in an email — but they get infected anyway. Any company can be scammed like this — and many are by attackers that set up look-alike websites of real companies.
Terry: It’s kind like ‘living-off-the-land’ tactics, where hackers are using legit methods and tools against us. This happened to a buddy of mine who got scammed out of $445,000. He received an email that looked like it came from the director of marketing at his bank. They asked him to upgrade his profile, so he clicked on the link and ended up on ‘bank.ru’ — but website looked identical to the banking website he used. He entered his client card numbers.
Howard: But in that case wasn’t there a clue? The address is website was ‘.ru’.
Terry: The problem was he was not educated in internet safety. That’s why I created Fraudster education app.