When Brett Callow, B.C.-based threat analyst for Emsisoft was asked to describe 2021, he reduced it to three words: “A crazy mess.”
The mess started in January, with CISOs scrambling for evidence their networks had been compromised by the SolarWinds Orion hack, and went on from there, with CISOs learning that other platforms in the supply chain, such as Kaseya and Accellion FTA had been compromised, rushing to patch on-premises Microsoft Exchange servers in the wake of the Hafnium compromise, realizing the vulnerability of critical infrastructure after the (thankfully interrupted) attack on a Florida water treatment plant and the ransomware attack on the U.S. Colonial Pipeline. It ended with them scrambling for evidence their networks had been compromised by the Log4j2 bugs.
In this country, the Canada Revenue Agency had to force 800,000 taxpayers to reset passwords to their accounts after learning someone was using compromised credentials for access, the Newfoundland and Labrador healthcare network suffered a huge data breach of patient and employee information stretching back more than a decade, and the Governor General’s IT network was hacked. The federal government’s Communications Security Establishment (CSE), which looks after security for government networks, still won’t comment on the cause of that attack, or what data might have been accessed.
The good news? Some ransomware gangs were disrupted — apparently only temporarily — because law enforcement agencies are getting more aggressive. An Ottawa man was accused of being behind a number of attacks. A global Ransomware Task Force issued a long report with solid recommendations for fighting attacks. And the Canadian Centre for Cyber Security released a Ransomware Playbook for IT leaders.
Some rough signs of the level of attacks in this country (given that incidents are still under-reported): The federal privacy commissioner received 782 breach reports, affecting at least 9 million Canadian accounts, for the year ending March 31. And that only covers federally-regulated organizations such as financial firms, communications providers, transportation companies and energy companies.
The leading cause of reported breaches was unauthorized access (64 per cent), which includes external actors gaining access to systems through malware, ransomware, or social engineering. It also includes employees viewing information without authority and using the information for inappropriate purposes.
Twenty-eight per cent of breaches were caused by unauthorized disclosures, including employee errors involving misdirected communication and disclosures resulting from a failure of technical safeguards and system vulnerabilities.
As for ransomware, the Canadian Centre for Cyber Security says it knew of 235 incidents against Canadian victims this year, as of mid-November. Many of them were small to mid-sized companies. Around two dozen have been named on the data leak sites of ransomware groups, according to a security researcher. Most of the firms didn’t return a reporter’s call for comment.
“Companies in Canada still have some way to go to bolster their cybersecurity,” said Callow. “It’s impossible for any org to be completely secure, but they can do more than they are currently doing in some cases. Far too many ransomware attacks and other security incidents occur because of very basic, simple security failings. If all organizations were to adhere to Cybersecurity 101, there would be far fewer incidents.
“I think the real takeaway is that in the past organizations could get away with having sloppy security and probably wouldn’t be penalized. Now they are far more likely to pay the price, literally and figuratively.”
As for the log4j2 vulnerability, Dave Masson, Ottawa-based director of enterprise security at Darktrace said, “it will be around for ages.” IT departments, he noted “have to to find it in the first place.”
The vulnerability is another example of why IT leaders have to assume an attacker can get by initial defences and focus on detecting suspicious activity inside their networks.
“Things are getting better,” he insisted. But, he added, the skill of threat actors means CISOs are still being reactive to attacks.
Daphne Lucas, Calgary-based cyber strategy services lead at Deloitte Canada, said one area where organizations here could do a little bit better is in information sharing. “In other countries, we see [more] collaboration with government agencies and information security professionals,” she said in an interview. “They will try to help each other and look for things others are seeing” through industry or cybersecurity groups. In Canada, infosec pros work more informally, she said. “We’re getting there. We’re just a little bit further behind in the curve.”
Ken Muir, a virtual CISO with managed services provider LCM Security, which has 12 partners across Canada including distributor Tech Data Canada, said he’s seen a shift this year in the seriousness that organizations are now putting into cybersecurity. “Organizations that didn’t spend on security are now realizing it’s a cost of doing business,” he said in an interview.
Still, he said to lower the risk of being a victim of a cyber attack, organizations have to create culture of security.
Notable incidents in 2021
These are some of the notable incidents ITWorldCanada.com and other news media covered this year:
–the more researchers delved into the SolarWinds Orion hack the more malware they found. They also realized the attack started as far back as September, 2019;
WHAT IS IT? Discovered in December, 2020, IT leaders with Orion in their networks spent much of early 2021 figuring out if they’d been hacked. A Russian-based group Microsoft calls Nobelium found a vulnerability in the Orion security update mechanism and used it to spread backdoors and malware through updates. Some 18,000 organizations downloaded infected updates, but only 100 organizations were actually hacked. For more detail see this story.
WHO WAS HIT? In the U.S. alone nine federal agencies and about 100 private sector companies were compromised.
WHY IS IT IMPORTANT? This was a highly sophisticated attack that brought supply-chain attacks to a new level. It was able to even get past SolarWinds’ code-signing certificate for assuring customers updates hadn’t been tampered with. According to Crowdstrike, the attackers were able to get past Active Directory 2FA protection. According to a report this month, the Nobelium group is still going strong.
Since the discovery of this attack and the compromise of Accellion FTA (see below) CISOs have become more sensitive about supply chain attacks.
–after discovering four vulnerabilities in Microsoft’s Exchange Server being exploited by a state-supported Chinese group it calls Hafnium, Microsoft said the bugs were also being exploited by others to install ransomware;
WHAT IS IT? Hafnium primarily targets entities in the United States in a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
WHO WAS HIT? Microsoft says thousands of on-premises email customers, small businesses, enterprises and government organizations worldwide were impacted by the unpatched vulnerabilities.
WHY IS IT IMPORTANT? Exploited Exchange Servers enabled access to email accounts, which led to the installation of additional malware to facilitate long-term access to victim environments. Initial news reports said hundreds of Exchange Servers hadn’t been patched in March, when news first broke. Exchange administrators not only have to install all patches, they have to ensure their environment wasn’t hacked before the patches were installed.
–ransomware continued to make global headlines, with high-profile victims including Colonial Pipelines (which caused lineups at U.S. east coast gas pumps); JBS Foods (which disrupted meat production in the U.S., Canada and Australia); computer manufacturer Acer, and insurance company CNA, which reportedly paid US$40 million to get access back to its network. According to a letter the insurer filed in the U.S., that attack started with an employee downloading a fake browser update.
In a similar vein, a ransomware attack on a European biomolecular research institute started with a student downloading a cracked version of an application to his computer, which later connected to the institute’s network;
–in another attack on an infrastructure provider, the on-premises version of Kaseya’s VSA remote monitoring and IT management tool was compromised and used to spread ransomware. In an echo of the SolarWinds attack, the attacker, reportedly the REvil ransomware gang, used its access to send out infected VSA updates. Sophos said more than 70 managed service providers that used the product were impacted so far, resulting in more than 350 of their customers being hit. A Ukrainian man was arrested in Poland on a U.S. indictment alleging his involvement;
–Canadian organizations victimized by ransomware included Home Hardware, Sierra Wireless, Toronto’s Humber River Hospital, commercial real estate firm Colliers International, Discount Car and Truck Rentals, and the Sault Ste. Marie, Ont., police department.
WHAT IS IT? Ransomware is hitting organizations big and small. Hackers prefer it over stealing and selling data.
WHO WAS HIT? Any organization a ransomware gang can get into.
WHAT CAN I DO? Almost any vendor your IT department deals with — Microsoft, Cisco Systems, IBM, Emisisoft, McAfee, Symantec, FireEye and more — has free advice. So does the U.S. Cybersecurity and Infrastructure Security Agency, the FBI and the Canadian Centre for Cyber Security. As mentioned above, the Ransomware Task Force issued a long report with solid recommendations for fighting attacks. And the Canadian Centre for Cyber Security released a Ransomware Playbook for IT leaders.
–the cyber attack on the Newfoundland and Labrador healthcare network is probably the biggest healthcare attack in the country. Health system employee data — including social insurance numbers — in one regional district going back 28 years was accessed. Patient information going back 11 years was accessed in another health district.
In addition, social insurance numbers of 2,541 patients — about half of whom are now deceased — were accessed by hackers. The province isn’t sure why patients were asked to provide their social insurance numbers;
The province continues to call this a cyber attack, although one threat researcher who works for a cybersecurity firm and asked not to be identified has told ITWorldCanada.com that the Conti ransomware group is responsible;
–the Peel District School board was hit by what it called a cyberattack, as were Ontario’s Lakehead University and Durham Region;
–Distributed denial of service attacks were launched against a number of organizations around the world, including a Montreal-based VoIP provider. Victim firms usually face a demand to pay a ransom or the attacks won’t stop;
–Montreal-based Web Hosting Canada suffered an “incident” that knocked out web and backup servers used by customers. The majority, but not all, customer data was recovered. The CEO said an individual with a third-party service provider used their privileged account access to connect to a WHC datacenter management portal, and without authorization initiated server reimaging on some of backup servers and production servers;
–a vulnerability in Accellion’s FTA file transfer utility was used to attack a number of companies including Bombardier, Shell and the City of Toronto.
Predictions for 2022 from Masson and Callow
Dave Masson:
–ransomware attacks will increase;
–attacks on supply chain applications will increase;
–there will be more direct attacks on email systems so attackers can send phishing messages from genuine accounts. One example was the hack of an FBI email server;
–the so-called “great resignation” of people leaving their jobs will see some employees walk off with corporate data;
–artificial intelligence will be used by CISOs in new products to find and fix vulnerable attack pathways in their networks. Masson likened it to “continuous red teaming.”
Brett Callow:
–“loud and brash” ransomware groups will try to keep a low profile in hopes of being less of a target of law enforcement agencies. That may include listing fewer corporate victims on data leak sites;
–threat actors will continue trying to co-opt red team tools for their own use;
–law enforcement agencies will continue trying to find ways around end-to-end encryption offered in a number of text, email and social media platforms;
–attempts by governments to collect more data of residents may become more contentious;
–there will be more co-operation between the public and private sector in many countries in combating cyber threats. That will go some way to put a dent into ransomware, Callow said. Emsisoft was one of a number of cybersecurity firms that worked with several agencies to take down the Blackmatter ransomware gang.