Welcome to Cyber Security Today. From Toronto, this is the Week in Review edition for the week ending Friday April 1st, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by Terry Cutler, head of Montreal’s Cyology Labs, to discuss a few headlines from the past seven days. But first a brief roundup of some of what happened:
World Backup Day urges IT departments to take a rigorous approach to backing up corporate data. Terry and I will go over what you need to be doing.
Trellix issued a report on nation-state threat actors. These are countries, or their proxies, who are largely doing espionage and stealing corporate information, such as product or pharmaceutical secrets. Seventy-four per cent of survey respondents suspect that a state actor targeted their organization in the previous 18 months. Terry and I will delve into this report.
We’ll also look at reports that internet providers and companies, including Apple, are sometimes fooled into giving away information about subscribers by crooks pretending to be police dealing with an emergency.
The province of Newfoundland and Labrador admitted that more than 200,000 patient and employee files were accessed in a cyberattack that temporarily crippled the healthcare system last November. The actual number of people affected might be smaller because of repetitions in the files. One healthcare region hacked said it is paying closer attention to user passwords and multifactor authentication as it rebuilds its network.
Meanwhile the Hive ransomware gang claims it hit a California non-profit agency that helps people access healthcare in the state. The agency’s website says it’s investigating certain activity with a forensics specialist.
Last week police in England detained and then released a bunch of people between the ages of 16 and 21 that reporters suspected of being part of the Lapsus$ extortion gang. Perhaps they weren’t as deeply involved as was thought, because this week the Brazil-based IT company Globant admitted it was hit by Lapsus$. The company said a “limited selection” of its source code as well as project-related documents of a very limited number of clients were accessed.
UPDATE: U.K. police have laid charges, according to the BBC. Two teens are charged with three counts of unauthorized access with intent to impair operation of, or hinder, access to a computer, and two counts of fraud by false representation. The 16-year-old, has also been charged with one count of causing a computer to perform a function to secure unauthorised access to a program.
More malware-infected software packages were found in the NPM open-source library, another warning to developers that code taken from these libraries need to be closely scanned before being put into their projects.
Police in a number of countries arrested 65 people including nine U.S. residents, two Canadian residents and 12 in Nigeria as part of a global crackdown on business email compromise scams. Often these are scams that convince employees to transfer money to what they think are legitimate bank accounts. They do it by cracking emails and pretending a customer is changing banks.
Finally, in case you thought ransomware attacks aren’t too costly a customer relationship management software company called Atento said an attack last year cost it $42 million. Of that $34 million was lost revenue, $7.3 million was spent on repairing and improving IT systems.
(The following transcript has been edited for clarity)
Howard: Let’s start with the importance of a solid IT Backup strategy. I think it would be obvious because data theft has been with us almost since the beginning of the public internet. However, big causes of data losses are also hardware failure and human error. Yet some companies, big and small, still don’t get backup right. The only way they find out is when there’s a crisis. Why is that?
Terry Cutler: Making a backup and not testing. It’s like not having a backup at all, and not just that we have to also worry about can hackers get into the system and actually wipe out that data. We’re seeing what’s happening in Ukraine with the wiper malware. So it’s very important that you know who has access to the data. If the internal backups are being wiped can we can we get access to to the backup?
Howard: So it’s important to have a rigorous backup strategy because it’s part of your disaster recovery strategy. What are some of the worst backup incidents that you’ve come across in your career?
Terry: One happened a couple of years ago when a customer got hit with ransomware. All of their current backups were were were encrypted. And the attackers were asking for over a million dollars to recover the data. They tried their tape backup but found out that their offsite tapes weren’t being regularly changed so that data was over seven months old — and when you’re dealing with health information you need to have more regular and more up-to-date copies of your data. They tried to restore the data from the tapes. But then we found out that the server that’s being ransomed is the only server that can run that old version of software for the tape to be able to re-index. Then we found out that the database [on the tape] was corrupt it would have taken weeks to re-index it. We sent it out to a data recovery firm and were able to recover most of the data, but it’s still seven months old. So test your strategy.
Howard: Experts say you need a 3-2-1 backup strategy. Explain that.
Terry: The 3 represents having three copies of your data at all times. Two of those should be on different media. And one of them will be held offsite.
Howard: A lot of it people get confused between an incremental backup and a differential backup.
Terry: The biggest difference is that the incremental backups will only include data that’s been changed since the previous backup. Let’s say you’ve backed up a terabyte of data but only 200 megs of it changed. It’s only gonna back up 200 megs. A differential backup will back up all of the files since the last full backup. Differential copies will help you recover faster because you just have to restore the full copy, then just restore the latest differential copy. The danger you’ll have with incremental copies is that you may have 17 copies to fully restore data. If one of those copies is damaged it’ll break the whole chain of recovery. So there’s a lot of risk.
Howard: Another thing to keep in mind is you’ve got to make sure that your backup isn’t always linked to your live network. That can be difficult if you’re in a business where you’ve got to make like backups every 30 seconds.
Terry: That’s the example I just gave. You had two side-by-side storage units with a fiber-optic connection between the two making backups of each other in case one failed. But because they were on the same network they both got encrypted.
Howard: So when you’re planning you got to make sure that doesn’t happen. I came across a list of common mistakes that small IT departments make and they include things like inconsistent backups, forgetting that there are other offices in the company that may be outside the main branch, ignoring mobile devices, relying only on physical storage, not using your backup software’s automation features, forgetting your archive needs and not storing a copy of your backup offsite. Are these the kinds of things you’re seeing?
Terry: Yes, and I think that the moral of the story comes down to test, test, test. And I think it’s also really important that you have proper software and hardware inventory, because, going back to that [ransomed] customer, they weren’t prepared for this. So they had no idea where their software installation keys were, they didn’t know where to download the software for their accounting solution, didn’t have the proper license keys to activate the products. In another case they didn’t know what third parties have access to their network. So they might be fully secured from external threats, but they don’t realize that a third party has access to the internal network to sensitive information. We saw in a previous case where an MSP (managed service provider] got attacked and the attackers got into 40 of their customers via TeamViewer and ransomed them all. So it’s very important to know who has access to your data. The other thing is how fast can you recover from any type of disaster?
Howard: One thing that that’s vital to remember is that cloud providers probably don’t back up the data that you have with them. Email providers like Gmail or your web hosting provider may not be backing up your backup.
Terry: There was a high-profile case that just happened recently with [cloud storage provider] StorageCraft. By human error they accidentally destroyed all customer backups. And that is is pretty much every CEO’s nightmare. They get hit by ransomware and there’s no data backup. What’s worse is that some customers of StorageCraft could also be managed service providers, who have their own customers. So if their customers ever got hit. Um, they’re trying to rely on storage craft to recover their data. That’s why offline backups are key.
Howard: There was a problem with a Canadian company called Web Hosting Canada. They lost some data and some customers might have had trouble because the provider didn’t have immediate access to their data. [Most but not all website data was recovered]
Terry: It’s like the whole zero trust model — Have your proper offsite backups. Trust no one.
Howard: And you need to do two vital things: Once you have a backup strategy, you’ve got to regularly verify the integrity of your backup data and you’ve got to have it staff practice restoring your data.
Terry: Exactly.
Howard: You can get lots of good advice on backing up on backup strategies from your existing vendors. You don’t necessarily have to hire a consultant. The big IT suppliers that you already deal with, including Microsoft, will have free advice. And so does your trusty taxpayer-supported sources, which are governments. In Canada that’s the Canadian Centre for Cyber Security, in the United States it’s the Cyber Security and Infrastructure Security agency, and for those of you in the U.K. who are listening, it’s the National Cyber Security Center. They’ll have free advice that will get your IT department thinking about how you can develop and a mature store backup strategy.
Howard: Let’s turn to the Trellix report. For those of you who don’t know, Trellix is the name of the merged FireEye and Mcafee Enterprise companies. This is one of the first reports from the new firm and they talk about the importance of being aware of nation-state or nation-state-supported threat groups that may attack your company for a variety of motives. What I got from this is that organizations underestimate the number of attacks from nation-states that they may face. What did you learn?
Terry: From this report, but also from the years that I’ve been going back and forth with my friends in Ottawa who helped investigate this exact matter[foreign interference]. Years ago they [the RCMP] didn’t have the expertise nor the jurisdiction capabilities to stop this. The other thing is when someone [a nation state] has embedded themselves into things like firmware it’s very, very difficult to know there are beaconings [back to the group] going on.
There’s no silver bullet to stop the hackers from getting in, but there are technologies and experts that exist that you can have in the background that will give you a holistic situation, a situational awareness of your entire network. So while these components are being attacked the company would be able to get notification that these weird things are happening. It really comes down to visibility: Do you have detection technology in place to notice something’s going on? And you have a response plan to get the hacker out once he’s been detected?
Howard: One of the dangers of a nation-state attack is data theft of intellectual property that could lead to the collapse of your company because it passes on the data to one of its prize companies and puts you out of business. The report doesn’t mention it, but one example is the collapse of Canada’s Nortel Networks. There was one Nortel official who investigated suspicious activity on the network and is certain that the theft of intellectual property from hackers from China led to Nortel’s downfall.
Terry: They were warned multiple times by intelligence agencies.
Howard: Is attribution of an attacker important? Isn’t it my job as a CIO or CISO or IT leader to protect important data no matter who attacks me?
Terry: The problem is sometimes you’re too close to the data you lose sight of what’s possible. That’s why it’s important to go to a third party that can look into these matters for you and get fresh eyes on your situation. We’re going to find things that you typically wouldn’t think of. A lot of times customers don’t have the in-house expertise. The CIO or CISO’s job is to bring as much risk visibility into the organization as possible. But sometimes they just don’t have the staff to do it.
Howard: So what should companies do to blunt the threat of a nation-state attack given that countries have the luxury of time and money behind these attacks?
Terry: It really comes down to can you monitor your network in a holistic way and look at all the traffic that’s leaving your company. Look for things like beaconings to unapproved servers in China or Russia when your organization’s in Canada. That might not be normal. Make sure you have endpoint detection and response technology.
Howard: Finally, you spotted an interesting post by American cyber reporter Brian Krebs. Tell us about that.
Terry: Hackers were able to break into law enforcement agencies and used legitimate email accounts to ask for urgent request information from providers. Usually if law enforcement wants information about a specific individual they need a subpoena [or court order] to get it, but there is a process called an urgent request that law enforcement can make. Companies like Facebook or Apple will provide that information because it’s coming from a legitimate source. But in some cases cybercriminals got into a legitimate law enforcement email address and asked for people’s information like the address of a subscriber, their IP address and some other personal details.
Howard: Just to be clear there usually has to be a matter of life and death so police can quickly track down who is behind a cyber attack or an imminent criminal offence. There was a mention of Apple and Meta from Bloomberg News. Meta, of course, is the parent company of Facebook. Sources told Bloomberg that these two companies ah provided customer data to hackers who were masquerading as police. Meta issued a statement saying, ‘We review every data request for legal sufficiency and use advanced systems and processes to verify law enforcement requests and so we can also detect abuse. We block known compromise accounts from making requests for work with law enforcement to respond to incidents involving suspected fraudulent requests.’ And in this particular reported case they’ve also Investigated it. It seems to me that and this is a matter of perhaps police forces are trusting email, like a lot of other companies do. And in some cases they may not have the processes that they need to make sure of the authenticity of a request for personal information.
Terry: It sounds to me that law enforcement needs to beef up their cyber security. There is technology out there that monitors email accounts that looks for what’s called impossible travel. For example, one day you’re logging in from Montreal as as a police officer, the next hour you’re logging in from Lagos, Nigeria. An alert would be triggered and it can block the account.
UPDATE: Asked for comment, the Canadian Association of Chiefs of Police say neither the RCMP’s National Cybercrime Co-ordination Unit (NC3) nor the federal government’s Canadian Anti-Fraud Centre have yet to receive reports of this type of scam here.