Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, November 17th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes Terry Cutler of Montreal’s Cyology Labs will be here to discuss recent news. But first a look at some of the headlines from the past seven days:
Denmark’s computer emergency response team for critical infrastructure released a report on last May’s co-ordinated cyber attack on 300 organizations. Failure to patch firewalls was a crucial contributing factor. Terry and I will discuss this.
We’ll also talk about recent ransomware attacks, including one ransomware gang’s novel approach to pressuring a victim firm: It reported the attack to a U.S. regulator. And we’ll also talk about the increase in voice fraud.
In other news Samsung Electronics acknowledged personal information of customers who bought products online in the UK three years ago was stolen. The data covered a 12 month period ending June 30th, 2020. The discovery, though, was only made on Monday.
Fortinet warned IT departments using its FortSIEM security information and event management suite that it needs to be updated. A critical vulnerability could allow an attacker to do nasty things.
American cyber authorities released a background report on the Rhysida ransomware gang. Its the latest in a series of reports that gives IT departments research on the tactics and techniques gangs use.
Meanwhile researchers at NSFOCUS released a background report on a group it calls DarkCasino, which is behind the exploitation of vulnerabilities in the WinRAR utility. Favoured targets are banks, online casinos and cryptocurrency trading platforms.
Intel patched a potential vulnerability that affects some of its processors. The bug is called Reptar and could lead to a system crash, escalation of privilege attacks or denial of service attacks. IT administrators with affected Intel processors should consider updating their systems.
American authorities dismantled a botnet proxy network that distributed the IPStorm malware. That announcement came this week as the U.S. Justice department revealed a man had pleaded guilty in September to computer-related crimes including creating malware distributed by a botnet. He will be sentenced later.
An administrator of the Darkode criminal forum has been sentenced to 18 months in jail by a U.S. judge for conspiracy and aggravated identity theft. Thomas Kennedy McCormick, whose online moniker was ‘fubar,’ made and sold malware that stole data. When his residence was searched police found stolen credit card information of almost 30,000 people.
SAP’s November patches include covering a vulnerability that impacts the installation of Business One. The problem is version 10.0 doesn’t perform improper authentication and authorization checks.
And Microsoft released patches and guidance to address a high-severity vulnerability in Azure Command-Line Interface (CLI) that could result in the exposure of sensitive information through GitHub Actions logs.
(The following transcript covers the first of several topics discussed. To hear the full conversation play the podcast)
Howard: Topic One: Once again failure to patch is a crucial factor in a cyber attack.
Last May attackers went after 300 organizations in Denmark and accessed the IT networks of 22 energy infrastructure providers in what has been described as a co-ordinated cyber attack. This week the country’s computer emergency response team for the critical infrastructure sector released a daming report on the causes. Number one: Failure to patch firewalls. Here’s the chronology: The attack was on May 11th. Two weeks earlier Zyxel issued patches for its firewalls, some models of which were used by Danish companies. The vulnerability was rated at 9.8 on a scale of 10. This particular hole allowed an attacker to send network packets to the firewall and gain complete control without knowing usernames or passwords. On May 1st, five days after that warning, the computer emergency response team issued its own warning to patch these devices. But, I guess IT departments had other priorities. On May 11, 16 energy companies were targeted. Eleven were immediately compromised. Terry, IT departments have to prioritize when patches are announced. But no action 14 days after a critical patch is released for a firewall — and this is not just one company.
Terry Cutler: I could feel the pain here because we’ve actually done an incident response on something similar. The fact that this vulnerability had a rating of 9.8 nine on a scale of 10 shows that this is so easy to exploit and can have a catastrophic effect on all the systems.
I can tell you a story: We had another firewall vendor that put that was compromised last year, and the passwords leaked for it. Cybercriminals got in and then they accessed the company’s Active Directory, but instead of launching a ransomware attack they actually launched a Bitlocker attack locking down all the [Windows] machines. That’s why the EDR [endpoint detection and response software] didn’t pick that up, because [Bitlocker] is a legitimate [Windows] tool.
We’re seeing a lot of companies are having a hard time performing regular vulnerability scans. They don’t have the proper tools and practices in place to get that done. They also need to prioritize third-party patching. A lot of folks are just focusing on the Microsoft patches, the easy stuff. But they don’t realize that they need to start patching the third-party vendor things as well. I can also feel the pain of IT administrators, because they receive so many emails about patch updates they just simply can’t keep up. They need to make sure they have priority email rules so when an email comes in from this vendor or from this alert it’s high on their list of things to get done.
Howard: You can’t just blame this on overworked staff.
Terry: No. That’s an oversimplification of what’s going on here, because when you’re upgrading a firewall often it requires a reboot. That can shut down critical systems that users need access to — especially if you’re in a hospital. You can’t just simply reboot these things. And the IT guys might not take cyber security seriously because they’re just they’re focusing on updating their servers or workstations.
Howard: Many of these companies initially hit on May 11th might have been small companies, but companies are in the business of of making money. And when you make money you’ve got to devote resources, and and one of those areas where you devote resources is cyber security.
Terry: But often the IT folks are overloaded. Especially if you’re a small business, you often rely on external vendors for IT needs including cyber security. More and more when we perform attack surface reports, where I can pull information out of Shodan [the IoT search engine], we show the the MSP [managed service provider] or the customer how vulnerable they are from the point of view of a hacker. A lot of times the reports are showing bright red [for every service that’s exposed to the internet]. The client always says, ‘My MSP has me covered,’ but then we run an attack surface report on the MSP and I’m getting sunburned from the results because it’s so red. How are these guys protecting you if they can’t protect themselves? …
The IT guys need to focus on the break-fix stuff, but team up with a cybersecurity firm to help complement them.
It also comes down to cyber security awareness [of employees], especially among small and medium-sized guys. They feel that they’re not a target because they don’t have a lot of sensitive information, but they don’t realize that the criminals are just there to make money off you.
Howard: But if you’re in critical and infrastructure you should know you’re potentially a target.
Terry: Absolutely. But the biggest problem that I find in those guys is that they have too many tools in place to full to get really good visibility into what’s going on. Whenever an incident occurs they have to bring in multiple teams to try and piecemeal this all together. So they should really look at more vulnerability scanning as well.
Howard: There’s suspicion that the attackers came from Russia, and there’s certainly an indication that it was a sophisticated attack because the attackers must have known somehow that these companies had Zyxcel firewalls. An internet scan using a tool like Shodan wouldn’t have shown that.
Terry: This indicates to me that this is another level of sophistication and there was a lot of preplanning involved. They could have obtained this information in various ways. Maybe they conducted a reconnaissance before launching their attack. Maybe it was an insider threat. Maybe there was a former employee who leaked the information or a contractor or somebody with knowledge of the IT infrastructure. They could have gotten it from other sources like a job board posting … Here’s a company looking for an IT administrator and starts listing out all of the software they’re running and what they [applicants] need to be proficient at, if Zyxel is mentioned in there the attackers are going to know. It can also came from public disclosure documents.
Howard: Fortunately, after the initial compromise of the 11 companies the critical infrastructure computer emergency security team was able to work with the victim firms and prevent the attack from spreading beyond the firewalls. However, 10 days later there was a second wave of attacks. It isn’t clear if this was the same group, but one organization’s firewall downloaded software and appeared to join the Mirai botnet. This was the start of the attempted exploitation of two zero-day vulnerabilities in the Zyxel firewall not only in Denmark but in also other countries including a company here in Canada. Some attacks succeeded and the firewalls were then used in denial of service attacks against other targets.
Here’s a twist: One company didn’t think it had a Zyxel firewall. Actually, it did: It was on a package of surveillance cameras that a vendor had installed. Probably the IT administrator would have known the the name of the camera system and probably didn’t realize that the camera system was connected to a firewall.
Terry: This often comes up whenever we do a penetration test and we ask the customer, ‘Can you show me a detailed plan of your network so we can see where your critical assets are?’ And a lot of times they don’t even have a comprehensive map of their system. They need to have a complete inventory of all their IT assets, including those that are installed by third-party vendors … They also need to start looking at more proactive measures like continuous vulnerability management and always be scanning for patching … and misconfigured items as well. Look at third-party vendor risks. Make sure that the companies you’re working with have strong security practices in place. Ask them for proof that they’ve had an assessment done on their IT network.
Howard: I’ve condensed the narrative of the attacks in this particular incident … One lesson from this incident is the importance of having sector computer emergency risk teams that can help share information and alert other companies about the problems. This incident is a great example of how volunteers can help blunt cyber attacks.
Terry: There’s a couple of things we can learn: Prioritize your patch management. So many companies that we audit don’t even have a proper patch management system in place … Make sure you also have a comprehensive asset inventory. You need to know at all times what’s connected to your network. Make sure you have run continuous vulnerability scanning so you can see what’s going on so when you see a lot of critical vulnerabilities make sure you patch those things first… And you need to really get your incident response ah playbooks up-to-date. Finally, strongly test your backup and restore procedures.