Welcome to Cyber Security Today. This is a special Year in Review edition for 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
With me here regular commentators Terry Cutler, head of Cyology Labs in Montreal, and David Shipley, head of Beauceron Security in Fredericton, New Brunswick.
(The following transcript has been edited for clarity, and only covers the first part of the conversation. To hear the full discussion play the podcast)
First, as you look back what kind of a year has 2023 been?
David Shipley: There’s a meme that comes to mind: A guy goes out to get pizza for his party and comes back and everyone’s running around in complete pandemonium and someone’s on fire and he has this look on his face — and that’s me this year. It’s just the absolute pandemonium of 2023 between some of the O-days that dropped, some of the nation-state hacking, the fact that the Russian hacking game against Ukraine as the year wraps up gets spicy … It has been a year and I don’t think 2024 is going to be much different.
Terry Cutler: Same here. It was very, very weird at the beginning of the year. It was very quiet. Even had competitors calling me up to see how we can all work together. But we’re seeing a lot of breaches that are occurring because companies still don’t have the basics in place. And what they’re doing going to their managed service provider saying, ‘Hey, how do we fix this?’ But they [the providers] aren’t cybersecurity experts. So they’re recommending the wrong stuff. We’re not advising them properly, and they’re getting breached. Hopefully 2024 is going to have better outcomes.
David: I think there’s been a lot of snake oil in the cybersecurity market, particularly since the pandemic. And now it’s snake oil with generative AI. It is [failure to do] the basic stuff, but the basic stuff isn’t sexy. It’s the diet and exercise of health applied to cybersecurity. And everyone still is running around looking for their $500 dollars a month. That’s not going to get what you think it is, and you’re going to put the weight on after you stop taking it. I don’t see executives yet moving away from the silver bullet snake oil: ‘I bought the latest ADR, MDR, AI, DLP solution. Why am I not safe?’
Howard: Let’s get to the top news story of the year as selected by me — because I’m the host and I have privileges. The number one story of the year: The exploitation of a zero-day vulnerability in Progress Software’s MOVEit file transfer application. Why is this the top story? According to statistics compiled by Emsisoft, as of December 15th, 2,686 organizations around the world had been hacked from this one vulnerability. Data on over 90 million people has been stolen.
IT departments use MOVEit to compress, encrypt and shift files to third parties for processing. They’re processing things like payrolls and benefits. The cybersecurity community started getting worried about this when Progress Software said at the end of May that there was a vulnerability in the on-premise and cloud versions of MOVEit that had to be patched. And since then, an avalanche of companies and governments around the world have admitted their on-prem or cloud stores of MOVEit had been hacked. Or if it wasn’t their directly their then it the data held by the companies doing their data processing was hacked.
The Clop ransomware gang has taken credit and for the most part didn’t deploy ransomware in these exploitations. It was pure data theft. Gentlemen, what do we say about this incident?
Terry: We’re seeing more discoveries of zero-day vulnerabilities. We’re seeing less and less companies implementing the right technology with detection and response built into it. So they’re not seeing a full holistic view of what’s happening in their environment. Zero days are extremely hard to detect because not even the vendor is aware of this vulnerability. And we’re seeing a shift now, where a ransomware gang is in the network for a long period of time. The average time that a cybercriminal is in your environment is over 280 days before being detected. So we’re seeing a shift now where they [attackers] are seeing more value in exfiltrating all the data versus just sending them a ransom.
David: I really think O-Days need to have like a league or a qualifier. Like, ‘This was not an NHL-level O-Day.’ This [MOVEit] is a SQL injection. This is a Pee-wee hockey O-Day and should never have happened in the first place.’ This is the equivalent of driving your car with your eyes closed right into a telephone pole. And so back to Terry’s point about the basics.
This [type of vulnerabilty] is in the OWASP [Open Web Application Security Project] Top 10 for how many years? How many decades at this point? So it should never have happened. But that’s on the vendor. But on the [customer] organizations, we have a fundamental fail down in the understanding of what the technology’s intent and purpose was. It was supposed to be secure file transfer. And in that, it was relatively successful. What it was never supposed to be was a data warehouse [for files about to be transferred or transferred files].
Whether it was driver’s licenses that go back years, birth certificates that go back years, employment information that go back years the fact is that this wasn’t used as a subway transit stop [by IT departments — you get on and then you leave]. This was the end warehouse [for data] and became the primary system of backup because of poor [data management] processes. That is on the organizations. That’s on them because good data hygiene would have reduced the scope of the impact. Not the presence of the vulnerability, but certainly we wouldn’t be 90 million people deep [in stolen data] if we had good, tight data governance. And that’s a shout-out to all of my friends in the privacy and data governance and security worlds. It’s not one of these items, it’s all three working together as a process.
Howard: Your point is that, for example, every month a company might have been sending a thick file to a data processor but what the [sending or recieving] company wasn’t doing was deleting that file [from the MOVEit server] every month after it had been used.
David: Exactly …
Terry: I think if companies start getting back to basics — regular patch management, security updates, putting in more holistic monitoring environments, technology that’ll look at what’s going on at both the network endpoint and cloud levels — the moment something like this occurs it should be able to trigger that this is not normal behavior. It should set off an alarm, quarantine the machines.
David: This is also part of what I call the sin of the city planning or the highway planning or the data planning of organizations. And I’m going to use Fredericton as a great example because it’s one of the few capital cities in Canada where you’re driving along the main provincial highway and the next thing you know you are at a three-way intersection. The highway just stops at an intersection. That’s poor design.
When we think about this [IT networks], it’s thinking about the architectural building blocks and the city planning of your digital world in your corporation. That’s where change management [is important].
Howard: So both of you are making the point that even though this is a zero-day, these hacks or the severity of the hacks could have been prevented by basic cybersecurity.
David: Yeah. It goes back to you cannot control an O-Day, but you can control all the things you do to mitigate the possibilities of an O-Day. So, control what you can and hold the vendors accountable because this O-Day should never have happened. This should not have happened this way. And I think the SEC [U.S. Securities and Exchange Commission] investigation into Progress Software is going to be very interesting in 2024.
Terry: I think it can be easy to have better systems in place. Obviously, make sure you have your proper patch management in place. Because if I remember correctly, folks that had EDR in place and they [hackers] tried to do an update it flagged it as malicious. So those had EDR in place already saw this alert. So it prevented the breach from happening on their systems. But, you know, they could have also been avoided by doing proper network segmentation. And of course awareness training is going to help as well too — identifying weird behavior can help lock it down.
Howard: David, you talked about the SEC investigation. My suspicion is that the SEC is going to investigate [Progress Software’s] communications. They’re not going to be doing a cybersecurity forensic investigation of progress software. One thing though, the Nova Scotia Information and Privacy Commissioner in has launched an investigation into the hack of the provincial department of health’s MOVEit server. So perhaps cybersecurity lessons will come out of that inquiry.
David: I want to give a shout-out to the Government of Nova Scotia … because they were communicating [to the public] very quickly about this incident, whereas some U.S. states didn’t communicate till months later. … I do think the SEC could potentially dig into all of the statements that companies make about their material cyber risks and how they’re managing those risks. It could look for evidence of how did this company’s code get so poorly written? Why didn’t it get caught on pen tests?
Terry: There’s going to be a nice fancy report with a set of recommendations to help prevent similar breaches in the future. But it’s going to be the same stuff again: Make sure you improve your security protocols, employee training, and make sure you update your incident response plans. How is this going to be different than what we’ve been talking about for the last 10 years?
Howard: One angle that I hope will be investigated is that according to researchers at Kroll not only was the Clop gang in the MOVEit systems of victim organizations for months before the data was stolen, the gang had figured out a vulnerability to exploit a similar file transfer application called Go Anywhere MFT. The gang decided for whatever reason to siphon data from victims from GoAnywhere first, and then they did the MOVEit exploit.
David: A couple of things: Clop is a type of blood-sucking bed bug. Two, this is one of the few groups that actually earns the advanced persistent threat methodology … because they ran a really advanced business operation. They sequenced how they were gonna go to market. They prioritize, they worked at scale, they figured out what was going to work … So A-Plus to cyber criminal innovation by Clop, which also is an important lesson to us defenders: They are working smarter, not harder. We have to work smarter, not harder.
The other top news stories of 2023 we discussed that you can hear on the podcast are:
–A record year for ransomware;
–U.S. Air National Guardsman charged with publishing classified documents. Investigation report released;
—North Korean group hacks 3CX VoIP app;
—Cyber attacks increasing on critical infrastructure;
—Chinese-based hacker forges Microsoft Outlook access tokens;
—Theft of 24 years of personal data of Canadian federal, military and RCMP employees from two moving companies;
—U.S. Cyber Safety Review Board issues report on why the Lapsus$ gang was so successful.