Welcome to Cyber Security Today. This is the Week In Review edition for the week ending Friday March 19th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
With me today is Dinah Davis, vice-president of research and development at Arctic Wolf. In a few minutes we’ll delve into one item that’s been in the news. But first a review of what happened in the last seven days:
Hate getting robotic calls on your phone? The U.S. Federal Communications Commission has given you a bit of revenge. This week it fined two Texas-based telemarketers $225 million for running an automated phone scam that spoofed the phone numbers of real insurance companies. Their servers made millions of robocalls a day. In addition to going after scammers in the U.S. the agency also issued cease and desist letters this week to robocall companies in the United Kingdom., and six firms here in Canada.
The U.S. intelligence community says Russian President Vladimir Putin authorized Russian government organizations to try and undermine American public confidence in last November’s elections. However, unlike 2016 these efforts didn’t include attempts to get into the election infrastructure. Iran also ran a misinformation campaign to undercut President Trump’s chances of re-election. The report concluded the registration and voting process itself was untouched by foreign actors.
A teenager believed to be the leader of a group that hacked Twitter accounts of people including celebrities last summer to spread a bitcoin scam is going to jail. The teen pleaded guilty to four charges in a Florida court and will serve three years in a facility for juveniles.
Meanwhile a judge in Atlanta sentenced a man to 12 months in prison, in addition to the three years and 10 months he spent in custody, for hacking major websites. He was extradited from Cyprus to the U.S. He also paid $600,000 in restitution to victims and forfeited over $400,000.
Police hope they’ve done serious damage to an encrypted text messaging service they say is used by crooks. A U.S. grand jury indicted the Canadian CEO of Sky Global under a racketeering law for facilitating the sale of encrypted smartphones. Meanwhile European police said they had broken the network of the Sky EEC app used for encrypted communications to arrest a large number of people.
Canadian internet providers say they want to help fight malicious automated botnets that spread malware. But this week they told the telecom regulator they only want to do it on a voluntary basis. The Canadian Radio-Television and Telecommunications Commission had suggested internet providers follow a mandatory botnet-fighting framework. The commission argues that because internet providers have the networks botnets use, they should be doing more. But in written submissions this week the industry overwhelmingly said they want the flexibility to fight botnets under voluntary guidelines. Providers said they do a lot already. One said the burden should fall on manufacturers of internet-connected devices to tighten security so their products can’t be hacked to create a botnet.
Coincidentally, Palo Alto Networks said it detected more attempts to exploit new vulnerabilities in firewalls, virtual private networks, switches and routers to create botnets. In some cases the attacks were launched hours after the vulnerabilities were published. The report urges administrators to always patch network devices as soon as possible.
The FBI released its annual Internet Crimes Complaint report, which makes sobering reading. The agency said last year it received over 19,000 complaints categorized as business email compromises. These involve persuading individuals – often in companies – to unwittingly transfer funds to accounts controlled by crooks. The way it’s done is by sending victims emails that either spoof the real email account of an executive or come from hacked executive accounts. These scams cost American organizations over US$1.8 billion. Overall the FBI received more than 791,000 complaints of suspected internet crime last year—an increase of more than 300,000 complaints from 2019 — and reported losses exceeding $4.2 billion. The top three crimes reported by victims in 2020 were phishing scams, non-payment/non-delivery of product scams and extortion.
Finally, a new survey of IT security decision-makers for a security company called Randori suggests firms that were unprepared for the pandemic had a lot of security headaches. Forty-two per cent of respondents said their organizations were compromised because of unapproved or unsecured computers and smartphones connected to the network. Three-quarters said cyber attacks have increased in the past year. Just over half agreed protecting their organization from online attacks has become more difficult.
The following is a condensed version of my talk with Dinah. To hear the full conversation play the podcast.
Howard: The COVID survey is where I want to start because it offers some insight into the impact of the pandemic on information security leaders. This survey of information security pros on how COVID changed security had some very interesting numbers: Fifty-five per cent of security practitioners agreed that protecting their attack surface has become more difficult since the pandemic started. Are you seeing that?
Dinah: Absolutely. I was able to go and chat with a few of my colleagues over the last few days, and ask them for some stories from their work. One of them, a long-time engineer that I’ve worked with at Arctic Wolf, told me about the impact of VPN splitting early on in the pandemic. Before the pandemic many firms had VPN tunnel splitting for remote access for their employees. The user with split tunneling enabled a user is able to connect to [corporate] file servers, databases, mail servers, and other servers on the corporate network through the VPN. But when they go to connect to other internet resources like [general] websites, FTP sites, the connection requests will go directly out. That was beneficial to companies because then you don’t get the extra load if somebody is watching Netflix on their work computer. But when everyone moved to work from home, [security teams] all of a sudden lost half of their visibility on what was happening on these employee computers. Many of them were not prepared to turn that VPN splitting off because they didn’t think their corporate network could actually handle the load of everything coming in that way. So this caused a shift for them to start relying much more on endpoint technologies and detections. That shift made it harder because they had to figure out how to do that.
In some cases, the companies didn’t have VPN access set up at all. So when employees moved to work from home, it was very difficult for people to do it. In one case, a company was deploying the VPN to their staff as quickly as they could, but it wasn’t quick enough for their marketing group. So the marketing group went and installed and set up Chrome RDP (remote desktop protocol) on their own with no oversight from security. Fortunately for them, we saw the RDP connections for them and we’re able to help them out with that. But many attackers knew this and were able to exploit it.
Our head of threat intelligence said he has seen a 500 per cent increase in ransomware attacks across the world. We’re also seeing significantly more high severity vulnerabilities being discovered and disclosed. And a lot of them are around remote code execution. Examples are the new Microsoft Exchange issues, SonicWall Orion and Google Chrome. And on top of that we’ve noticed it’s taking about an extra 40 days to deploy patches for critical vulnerabilities for our clients. That the move to work from home put a huge delay in companies’ ability to get patches in out quickly because they had to think of other ways to do it .
Another engineer told me that he’s been seeing over a 250 per cent increase in OAuth consent phishing attacks compared with before the pandemic.
Howard: The other thing I found interested interesting in this survey is that 42 per cent of respondents said their systems have been compromised because of shadow IT in the past year. For those who don’t know, shadow IT refers to employees who use unapproved computers or smartphones or technology to access corporate information. That fits in with the example that you gave about the marketing department using Chrome unapproved.
Dinah: And I think that was really common, especially in the early days. People were thinking they were doing the right thing, trying to get online and do their jobs properly. When in reality it probably would have been better for the company to hold off for a week and get stuff in place.
Howard: The pandemic caught a number of companies off guard in that way and that they didn’t have things like mobile device management technology set up so that if an employee used their own computer from home the mobile device management software could check that unapproved computer, make sure that it was secure and had the latest patches.
Dinah: Absolutely. MDMs became much more important during the pandemic, which is also why it’s also been really important to get end-point detection onto your machines so we [IT departments] can actually see what’s happening there.
Howard: I want to turn to the FBI report, and because it’s very well-organized for taking internet complaints they have very good statistics. One of the things that caught my eye was the increase in business email compromise attacks.
Dinah: In the report they said those attacks were responsible for $1.8 billion, or 43 per cent of all of last year’s total funds lost. And it’s important to remember these were things reported to the FBI, which is a small fraction of what was actually happening because not everybody’s going to report. So it was quite striking for me to see. And there’s also a new trend: In previous years an attacker would transfer the funds into their own bank accounts. The FBI could track that. Now they’re using stolen IDs to create big accounts, and then they transfer the money into a cryptocurrency account, which makes it very, very hard to trace.
Howard: So what can organizations do to reduce the odds of being victimized by a business email attack?
Dinah: You want to use a service that’ll help identify when an email from your company has been part of a data breach, because that’s how attackers get in: They get a username and a password that maybe you previously used and then try and use it again on your site. Also, use multifactor authentication everywhere. I think that’s the answer to half the security questions we always have. Use password managers so that you never use the same password twice. And [IT should] monitor any email forwarding rules that get created. If all of a sudden an employee is forwarding email to an external account that could mean somebody else is watching it. And then always user awareness training. The more aware people are in your organization of what not to click on and how to have proper security hygiene on their computers, the better
Howard: There’s no report on trends without talking about ransomware. The FBI said it received 2,474 ransomware complaints last year, with adjusted losses of over $29 million.
Dinah: And, and of this, about 80 per cent are from phishing. So if you can shut down the fishing attacks on your company by user awareness training, and have two-factor authentication then you’re going to be in a better place.