Welcome to Cyber Security Today. This is the Week In Review edition for the seven days ending June 11. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
This podcast is brought to you by Terranova Security, helping you discover how to build an effective security awareness training program and train the world’s cyber heroes from a lineup of cyber security experts. Register now for the 2021 Security Awareness Virtual Summit by clicking here.
In a few minutes guest commentator Dinah Davis, vice-president of research and development at Arctic Wolf will chat. But first a look at some headlines from the past week:
Once again it was a week when ransomware took centre stage. The U.S. Justice Department and the FBI surprised the world by announcing the seizure of just over half the bitcoin that Colonial Pipeline paid to the Darkside ransomware gang last month. Dinah will talk about that, while I look at the testimony of the pipeline’s chief executive before the U.S. Congress. It is looking into lessons learned from the ransomware attack that forced the pipeline to temporarily close, causing panic at gas stations.
By the way, by an amazing co-incidence, the morning of the first day of pipeline hearings there was a ransomware attack on an online service called iConstituent used by some members of Congress and other American politicians for publishing digital newsletters.
The American division of meatpacker JBS Foods said late Wednesday that it paid the equivalent of $11 million to the ransomware gang that attacked it at the end of last month. While the majority of its facilities were back in operation when it decided to pay, the company paid to ensure there were no unforseen issues. The REvil ransomware group was behind the attack, which caused plants to close in the U.S. and Australia, and shifts to be canceled at a plant in Canada.
Hackers always take advantage of news headlines to launch phishing attacks. One of the latest scams tries to take advantage of increased worries sparked by the Colonial Pipeline attack. Targeted emails have been seen going to employees saying a software updated is needed because of the ransomware attack against Colonial Pipeline and other organizations. The link in the message leads to the installation of malware.
In this country three more Canadian firms were recently listed as being hit by a ransomware group called Psya, which is threatening to release data stolen from them. I haven’t been able to confirm this, so I won’t name them. But they are allegedly small or medium-sized businesses in Ontario, Newfoundland and Quebec.
Three new ransomware groups have emerged. One group is called Prometheus, and claims to have ties to the REvil ransomware gang. Prometheus has published data it says has been stolen from several Mexican government departments, a gas company in Ghana, an Oklahoma cardiovascular centre and others. Another new group is called Grief. It claims to have stolen data from five organizations, including a county in Alabama and a firm in Mexico. The third has been dubbed BlackCocaine by researchers. Its first victim appears to be a financial services company in India.
Separate from ransomware, the FBI and Australia revealed a huge sting operation against criminal groups that involved controlling a cellphone messaging service crooks thought was secure. Law enforcement agencies in a number of countries arrested 800 people and impounded cash, cryptocurrencies, drugs and luxury vehicles.
(The following is an edited transcript. To hear the full discussion play the podcast)
I’m going to bring in Dinah Davis now. The big news was the U.S. striking back at the ransomware group that hit Colonial Pipeline last month. Tell us what happened.
Dinah: I was quite shocked because it’s usually not very easy to get crypto coin back. So let’s give a little bit of background here: Colonial runs the largest American pipeline for refined petroleum and products [on the U.S. East coast] … On May 6th they suffered a ransomware attack and it impacted the company’s IT structure and ultimately caused the company to hold all their pipeline operations for about five days. To try and get back online quickly, Colonial paid $5 million in bitcoin to the Eastern European hackers on May 7th. That was to get the decryption keys and the decryptor tool that would allow them to decrypt all their data and get back to running.
Sadly, the decryptor was really slow, so it didn’t help them very much. And they still pretty much had to recover all their data. And now they’re out $5 million. So in a surprising turn of events on June 7th, the FBI announced they were able to recover the majority of that bitcoin, which seems kind of crazy. We hear all the time that it [bitcoin] is anonymous, decentralized. So how does the FBI get their hands on that? Well, bitcoin has to be stored in a digital wallet. But the only way you get access to the bitcoin is if you have the password for that wallet.
The FBI was able to get that password. How did they get that password? They’re not telling us, but it’s important to note that the FBI got access to an affiliate’s wallet and not the Darkside [ransomware group’s] direct wallet. Darkside provides a platform for its affiliate or users to do ransomware attacks. And then it takes a cut of the money that they make … One working idea that I’ve heard in the media is that the affiliate is actually a teenager and didn’t really know what they were doing. So maybe that was an easier target for the FBI to get the password back.
One sad note here is that even though they were able to get about 85% of the Bitcoin back, the value of Bitcoin has dropped over the last month. So it’s only worth about 50% of what it was when they purchased it.
Howard: One news story that I saw quoted an expert as guessing that the server where the attacker stored his private key information was accessed, which suggests that the hacker in this case committed a failure of security hygiene. Which is somewhat ironic because there was a failure of security hygiene which, which actually got them into Colonial in the first place. This wasn’t a failure of the Bitcoin infrastructure. That raises the question of whether this can be done again.
Dinah: Only if the criminals make a mistake again.
Howard: You mentioned the problem with the decryptor. This week the chief executive of Colonial Pipeline testified over two days before the U.S. Congress about the attack and the impact and what the the U. S. government could do about ransomware attacks. And one of the things he said was it wasn’t that the decryptor didn’t work. One of the things he said was the company had good backups, but he said, it took time for the company to go through the backups to make sure they hadn’t been infected before they were restored. And that was one of the reasons why they figured they had better pay the ransom.
Dinah: But it turned out that the decryptor wasn’t made for high performance environments, as in quickly decrypting hundreds and thousands of files … So it turns out that it wasn’t any faster than them sifting through their data from backup.
Howard: listened to about four hours of testimony over two days before the U. S. Senate and the House of Representatives about this attack. And I came away with more questions than answers. Most of the talking was done by pipeline CEO Joseph Blount. He was pretty proud of the way his company responded to the attack, with employees shutting the pipeline due to worries about how extensive the infiltration might be. And they shut it down within an hour of getting the ransom note. In fact, he turned away a question about what lessons he learned about what the company might have done wrong, insisting that the company had it defenses, but unfortunately the hackers got through. But he did confirm that the hacker initially got in through a legacy VPN using a username and password that had been created by an employee. After this incident, it was discovered that the credential was among those that were stolen from another hack.
An official from Mandiant, which did the investigation, testified that it assumes the employee used this password on another website, and that’s where it was hacked from. That this wasn’t a phishing attack that the employee fell for. They also said that the password wasn’t a simple password that could be guessed. The Mandiant official when he testified called the creation of this account, a “misconfiguration,” because it wasn’t believed that the account on the VPN was enabled. And that’s why multi-factor authentication wasn’t turned on for that credential. And he also said he doesn’t know if this misconfiguration would have been picked up by a vulnerability scan. Dinah, what does all that mean to you?
Dinah: That last part there is fancy speak for, ‘We forgot we had credentials sitting there being used by only one person. Don’t worry. Only one person had the password and it was a good password.’ Unfortunately it wasn’t the only time that the user had used that password and account takeover hits again. It’s so common: You use the same password and more than one place, even if it’s an amazing password. And then it shows up on a list someplace on the dark web, which is exactly what happened here. And the hackers were able to use that to get into the system.
Even if you think it’s disabled, there’s no reason for that username and password to still be provisioned. Just take it off, just get rid of it. This is hard. Because crap builds up in your IT systems and your it systems like, I’m sure there’s lots of people in companies that have forgotten about an account they created and it’s just sitting there.
That’s the importance of doing audits, auditing through all of your accounts that you’re in it, everything, all the usernames and passwords … what accounts have been provisioned to whom they’ve been provisioned and are they still using them. Do that on a regular cadence. Quarterly is a great idea because it takes away some of these older accounts that maybe didn’t have MFA put on them because they were older …It just shows like there’s lots of tiny cracks that the hackers can get into.
Howard: Here’s something mysterious. One of the members of Congress asked Colonial was there any record of this password in Colonial’s documents. And I think what they meant was password records, and the answer was no,
As I said, there are a whole number of unanswered questions:How did this account get created and why wasn’t it in the Colonial password management? … Does Colonial know who the employee was, who set up this account, like, were they in IT or a manager? Was somebody just fooling around? Was it a test account? Why was this account set up? And the other thing is how did the attacker know that this particular credential was for the Colonial VPN? Because in the testimony there was no mention that this was a brute force attack where the attacker had hundreds of credentials and they tested them against the VPN and just got lucky.
Dinah: I know that the hackers often do a lot of sleuthing beforehand. Maybe they found the username and password on the web someplace when looking into that person’s background, maybe they were able to get onto their computer … They definitely had to have some bits of information.
Howard: Before we leave ransomware, I want to mention a column that I saw on the website called Dark Reading and where the author argued that ransomware isn’t a problem that IT leaders face: That’s the symptom of the real problem, which is that IT can’t control computer systems. They should be using the concept of least privilege access. Software shouldn’t be allowed to make arbitrary changes like encrypting files. One argument that the author made was operating systems shouldn’t allow unrestricted access to applications. So, for example, in the macOS Big Sur [operating system] applications can’t write to the Documents folder. And of the Documents folder is what ransomware attackers want to steal from, where they want to encrypt. What did you think of this, uh, argument?
Dinah: I think there’s so many valid points about it. They also mentioned you don’t see a lot of ransomware on an iPad or a Chromebook. And that’s because those systems are locked down. You can’t do a lot on an iPad unless there’s already an app for it. You can’t build stuff on there. And so the question really becomes what does the everyday user really need in a computer? My guess would be that 80 per cent of people just need a computer that’ll allow them to use the apps they need to use. So install apps, use them and go forward. They don’t need the ability to write scripts or write code or do fancy things.
The people that need computers where you can do everything, like software developers and whoever else, they get the ones that have really lots of access — and then they have to be really careful. But for example, if you’re like an HR person in the company … when they opened resumes, they wouldn’t be phished. So I think it’s a fantastic idea. I think it’s hard to implement because of how people are used to a world in which you can do anything you want on your computer …
They mentioned this in the article, too: It’s always about the principle of least privilege. You should have the least amount of privilege you need to do the job or do the thing you want to do on the computer. And everything else has to be asked for. And if that’s the case, then a lot of this ransomware gets shut down. It’s a little bit of a pipe dream because we have to get everybody to move in that direction. And it’s expensive, but I don’t think we’re as far off, as you might think because of things like iPads and Chromebooks.
(Dinah and I also discussed the snare set by the FBI and Australian law enforcement to catch crooks using what they thought was a secure text messaging service. To hear that discussion play the podcast)