Welcome to Cyber Security Today. This is the Week in Review edition for the week ending March 18th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
If during this show you hear what sound like someone banging on my roof, that’s exactly what’s going on today. Of course, the roofers chose to do it during the podcast recording.
In a few minutes guest commentator Terry Cutler of Montreal’s Cyology Labs will join me to dig into several news items from the past seven days. But first a summary of what happened:
Next to ransomware, data wiping malware is perhaps the most feared weapon threat actors can deploy. Wiper malware is being used by against organizations in Ukraine. This week researchers found a fourth distinct wiper malware in Ukrainian organizations since the beginning of the year. Terry and I will discuss this weapon, which may spread to other countries if the cyberwar heats up and Russian-based threat actors choose to strike out at other countries.
Meanwhile the hactivist group called Anonymous struck what it said was a blow against Russia by allegedly hacking the German division of Russia’s Rosneft energy company.
Terry and I will also look at the fact that American operators of critical infrastructure now have to report cyberattacks and ransomware payments to the government.
We’ll talk about a report out this week on the state of mobile device security. One finding: 42 per cent of IT respondents said that mobile devices and web applications had led to a security incident in the previous 12 months.
And we’ll also examine a survey of what people in five countries, including Canada and the U.S., think about their online privacy.
Elsewhere, developers using the OpenSSL software library for secure application communications were urged to install the latest patch in their projects. According to an advisory issued by OpenSSL, a library function has a high severity bug.
Israel’s National Cyber Directorate said that the country suffered a denial of service attack on Monday that briefly took down a number of government websites. An Israeli newspaper quoted a source saying it was the largest-ever cyber attack launched against the country.
Japanese auto parts manufacturer Denso said its German division was hacked by an unknown threat actor last week. The company said that while it cut off internet connectivity to affected devices there was no interruption to production. There was no word on whether corporate or personal information was copied.
And online game developer Ubisoft admitted it had to order a company-wide password reset after suffering a cyberattack at the beginning of the month. It said no personal information of users was compromised.
(The following transcript has been edited for clarity)
Howard: Joining me now is Terry Cutler. Thanks for being with us this week. You’ve just come back from a conference in Dubai.
Terry: I was fortunate enough to be a keynote speaker for the 20th annual regional conference for the Internal Auditors Association. So I was in Dubai I got to experience plus 31C last week. Unfortunately going back to like 2C here.
Howard: I want to start today’s show with the cyberwar between Russia and Ukraine. One weapon being used against Ukraine is wiperware. This type of malware isn’t new.
Terry: If we think about how ransomware works today, attackers will infiltrate your environment, stay undetected for a period of time — say weeks or months — and then once they have access to the target systems they launch a ransomware attack to encrypt all of your data. A wiper attack is similar, except they erase the master boot record and blank out the hard drive. This is actually catastrophic if you don’t have backups of your data.
Howard: Is there anything different in the four strains of recent wiperware that we’re seeing used against Ukrainian targets.
Terry: The attackers have gotten a bit more sophisticated. We saw this attack happen against Saudi Aramco back in 2012 where 35,000 hard drives were wiped. What’s happening is attackers want to try and find more ways to get in [to a victim’s IT environment]. One of the ways is by a fake antivirus solution. The victim gets a phishing message saying ‘There’s a new virus scanner. Please update it.’ It’s actually a piece of malware called Cobalt Strike, which is an agent that beacons out to the attacker and lets them install more malware onto the machine. Another one could be a fake Windows Update. We’ve seen that In Ukraine. That’s why it’s important to make sure that your users don’t have administrative access on their computers. We’ve also seen things like the Anonymous hacktivist group apparently has now gained access to [the German division of] a Russian energy company and it’s actually been able to wipe its iPhones. Imagine if that could be done here – something starts wiping out your smartphones. That’s why it’s very important we have visibility into IT environments.
Howard: Also this week Germany’s cyber security agency warned critical infrastructure providers in that country — and when we talk about critical infrastructure we meet banks and telecommunications companies and others designated by the government — as well as consumers to stay away from antivirus provider Kasperski because it’s headquartered in Russia. A Russian IT provider could be forced against its will to work for the government said the German government’s notice. Kaspersky denies that it has ties to Moscow, but coming in the middle of of this war between Russia and Ukraine is this notice from Germany practical or political?
Terry: I think at the moment it’s very political, but this capability exists right? If you look back in 2015, I believe, there was a report that Kaspersky software let Russians see documents on a U.S. National Security Agency employee’s computer.(Related links to a Politico story and one from CBS news are here). So the capability is there, and I think there are definitely things to worry about. Because if the Russian government is able to threaten an employee of Kaspersky and say, ‘If you don’t do this malware attempt takeover or whatever you’re gonna spend the rest of your life in prison and your family will join you,’ that’s a lot of pressure. It could cause an employee to turn on their business. Kaspersky’s not the only one [with headquarters or research offices in Russia]. If anything happened to these companies it can have mass effect on the IT community. That’s why visibility is going to be key.
Howard: I want to talk about malware being used against Ukraine because I think that IT staff in countries that are opposed to the Russian invasion need to keep an eye on the tactics that are being used there in case cyberwar spreads.
Terry: I think IT pros are watching what’s happening right now and seeing the potential of what kind of threats could happen and how it can affect their business or their or their government, and get prepared. Because anybody that’s opposing right now will become a target.
Howard: Here’s another little thing: Earlier this month a credit monitoring agency called DBRS Morningstar warned insurance companies that cyber claims from their corporate customers will probably increase if cyber-attacks on companies outside of Russia and Ukraine increase. However, it isn’t clear that insurers will pay up, and that’s because most insurance policies have war exclusion clauses. So your company makes a claim, the insurance company may say, ‘No this is an act of war. We’re denying it.’ It’s going to be up to the insurance company to prove that a cyber attack was for example from the Russian government. Of course attribution of an attacker Is very hard. On the other hand, companies shouldn’t assume that their cyber insurance damage costs will be covered.
Terry: I think the biggest part in that is going to be attribution. How do you know that it really came from this war, because there’s nothing stopping me [as an attacker] from setting up shop or running a VPN into Russia and running it back into Canada and attack a business. You say it was Russia that did it. And if the payout [for a claim] can only happen after the investigation’s concluded, that could take months. That could be detrimental to a business that requires the funds to get back up and running.
Howard: I want to move on to another topic. The U.S. may be close to forcing American companies that provide critical infrastructure services — like banks and telecom providers and energy and transport companies — to report substantial cyber attacks to the government. This is part of a funding bill. It will require these firms to report incidents to the Cyber Security and Infrastructure Security Agency within 72 hours. If they pay a ransomware demand they’re going to have to report it within 24 hours. The idea is to give the U.S. federal government a better idea of what’s going on in terms of cyber attacks. Is this a good idea?
Terry: Yes and no. It’s important because we can share intelligence data of what these types of attacks are happening — how did it occur and such. On the flip side, it’s bad for business and it loses the public’s trust. Imagine your bank gets hacked and your personal information is stolen. As a consumer how reluctant are you going to be to do more business with this bank? You’re going to try and move your money to another bank. When we do incident response for companies they try to sweep it under the rug. They don’t want to disclose that they’ve been hacked. But I think that it’s important that these regulations come in because it’s going to help secure companies even more, because folks that didn’t want to invest in cybersecurity will now have to.
Howard: Well, one of the advantages is if federal cyber security agencies know that there’s been an attack they can gain certain technical information from, but it also means that they can more quickly reach out to these companies and say if you need help we’re available. In terms of consumers, we’re talking about the United States which does not have a national data privacy law [with an obligation to notify data theft victims]. A number of U.S. states do have data privacy laws and therefore the customer will know eventually that there has been a cyber attack. And companies may also have to report under the Securities and Exchange Commission rules if they’re a publicly-traded company. But I recognize that some companies will try to sweep it under the rug. Other companies won’t have that opportunity.
Terry: I think also with the small but especially the small medium-sized businesses, they still have that mindset of no one’s going to want to hack us. ‘We sell glass, we sell apparel. who’s gonna want to hack us?’ They don’t understand. It’s all about the money. Once they’ve ransomware you, they want you to pay up.
Howard: The interesting thing is the provisions on this bill are really serious. The CISA can subpoena American critical infrastructure companies that fail to report incidents or ransomware payments. And failing to comply with the subpoena can be referred to the Justice Department and could result in a company being banned from doing business with the U.S. federal government. Reporting ransomware payments within 24 hours would be required for nonprofits, businesses with more than 50 employees as well as state and local governments. I don’t know the exact ins and outs of U.S. legislation. But if this is part of a financing bill and it’s agreed to by the House of Representatives then it will become law shortly when President Biden approves the budget.
Correction: I didn’t realize that President Biden had signed the law on Tuesday. It will come into effect when the government publishes a notice in the Federal Register on proposed rules to implement the reporting.
…
Howard: So do you think this is a good idea for any government to adopt the sort of mandatory reporting of critical infrastructure companies if they’ve been hacked or if they’ve made a ransomware payment?
Terry: Absolutely. I think the time has come. I mean we’ve been preaching for the last 15 years it’s time that businesses get really serious about cybersecurity and protect the data.
Howard: There was a report out this week from a cybersecurity company called Zimperium (registration required) on threats from mobile devices. This is important because more employees are working remotely due to the pandemic. Some of their smartphones, laptops and tablets are under the direct control of their employers because they’re provided by the IT department, but devices that employees use and are owned by them personally may or may not come under the employer’s mobile device management system. What were some of the nuggets that you pulled from this report?
Terry: I think that we’re starting to see more and more malware for mobile devices coming out. We’ve seen Pegasus in the news yet again, and there’s been more and more malware coming out for Android devices … The other danger with mobile devices is you can go anywhere any time with these devices and connect to any malicious public Wi-Fi. So we’re seeing more security incidents from these devices. Things like users being tricked into logging into an application that they think is the businesses. Instead they’ve provided their user and password [to an attacker], which can cause a data breach. We’re seeing a lot of unauthorized applications that are that are accessing the enterprise data. There are also issues with poorly written apps.
Howard: In your work do you find that organizations pay enough attention to mobile device security?
Terry: Not really. It’s basically they just use it to push down an app container. It basically means you’re gonna have a little folder on your phone with the top eight business apps. They try to stay away from locking down the device because they don’t want to receive many help desk calls. What’s worse is that a lot of companies allow employees to bring their own mobile device to work. Which means that the employer cannot just take that device whenever they want because of privacy laws. But here’s the other issue: Let’s say this device gets compromised or stolen and the business goes and wipes a device — but this is your device. You’ve got your kids’ birth photos and all your private stuff and they’ve just wiped it on you. It actually opens a door for a lawsuit. If I was the business owner I would be giving the employee a corporately owned phone that should only be used for corporate.
Howard: The last story I want to look at is a consumer privacy survey done by a cybersecurity firm called Surfshark. It’s a poll of less than 2,000 consumers in Canada the U.S., the United Kingdom, Australia and Germany. One finding is 90 per cent agreed or partially agreed that online privacy is important to them, but 32 per cent said that the quality of internet services is more important than privacy. One-third of respondents said they’d been the victim of a data breach. Only 36 per cent said that they use a password manager. When you looked at the survey did you think that the questions that were asked were really useful?
Terry: I did. But I think we gave up our privacy a long time ago when we want to watch those cat videos. This is a field that I’m very familiar with. I deal with over 39,000 students from 160 countries in my training program, which is all based on internet safety. So I get to see firsthand some of the problems they face, and a lot of times they just have no idea what’s happening with their data when they use it online. They’re clicking on links they are not supposed to, they want to open up every single joke that comes in from their family and relatives, and they’re like, ‘Well, I only open up emails from people I know.’ But there’s a thing called spoofing. They can receive an email that looks like it came from their relative and click the joke, which installs malware on their machine and the next you know they’re being ransomed or their machines or their webcams are being turned on and passwords are being stolen. It’s a real mess for consumers right now.
Howard: One of the things I noticed in the survey: Only 63 per cent of the respondents said that they use antivirus.
Terry: It could be higher, but they think that — especially those with a Mac — ‘I have a Mac. No one’s gonna want to hack me.’ But they don’t realize that there is malware that exists for Mac. … The other issue that I see a lot of is that people feel their data is not important enough to be hacked and stolen so they use the free antivirus stuff instead of the paid stuff that’s far more advanced. But when I explain your tax returns are on your computer, your CV is on there, there’s some critical documents, then they start realizing the importance of having better digital hygiene.