Welcome to Cyber Security Today. From Toronto, this is the Week in Review edition for the week ending Friday April 22nd, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by David Shipley, CEO of New Brunswick’s Beauceron Security, for some lively discussion. But first a look back at some of the headlines from the past seven days:
A new dark web marketplace called Industrial Spy has opened looking to sell stolen corporate data — not back to the victim companies, but to their competitors. David and I will discuss if businesses will take the risk of this new version of industrial espionage.
We’ll also look at a report from Google saying a record number of zero-day vulnerabilities were found last year and what that means.
And we’ll discuss an in-depth analysis of a ransomware gang known as PYSA that goes after hospitals, boards of education, universities and governments.
Also this week, security researchers reported finding evidence those behind the deployment of the Karakurt, Conti and Diavol ransomware are sharing resources.
Security researchers at Varonis said they found unpatched on-premise Microsoft Exchange servers have been compromised with the Hive strain of ransomware. Attackers exploited vulnerabilities known as ProxyShell, for which patches were released eight months ago,.
And with spring nearby the FBI warned the U.S. agriculture sector that ransomware gangs may try to attack during the planting season. Two attacks against firms in the sector have been seen so far this year.
Application developers using certain versions of the Heroku Dashboard and the Travis CI continuous integration application testing service were combing through their code after the discovery that stolen OAuth tokens led to the compromise of some open source projects.
Finally, millions of Lenovo’s consumer line of laptops could be at risk of being hacked. This comes after the discovery of three firmware vulnerabilities. Lenovo laptop owners are urged to check with the manufacturer’s site for their model to see if firmware updates are available.
(The following transcript has been edited for clarity. To hear the full conversation play the podcast)
Howard: Let’s start with some possibly alarming news. A threat actor or actors has started a new marketplace for stolen data. Usually crooks want to sell personal data to other crooks who then go on to monetize it in some way — for example, by creating phony identities or they try to extort money from companies or governments by threatening to release important stolen documents. But this new online marketplace, called Industrial Spy, promotes itself as a website where companies can buy valuable documents stolen from competitors. What did you think when you heard of this?
David Shipley: From a criminal business model it’s brilliant, and it’s a natural response to the surge of security capabilities to detect the encryption process associated with ransomware. This is a reversion to a much simpler model of potential extortion — ‘Before this stolen data hits the market we can sell this to your competitors.’ I thought it was particularly noteworthy that you could buy the complete data set, or, if there’s a specific file you’re looking for, it’s two bucks a file. But for defenders the reality is ransomware has been easier and easier to detect and potentially thwart and stop. But the idea of someone sitting in your network purposely gathering your intellectual property to sell to your competitors is terrifying. This is a whole new ballgame — and I use the ballgame reference intentionally because people might think that corporate espionage is a very rare thing, but we actually have criminal convictions in the United States of one major league baseball team hacking another one. Because they [the victim team] didn’t do proper identity and access management, employees who were recruited away just logged back in and stole proprietary data. So there is a long history of digital corporate espionage, and now we’re just seeing a criminal marketplace tapping into that.
Howard: Industrial espionage to learn a competitor’s secrets isn’t new and done the right way it isn’t illegal — stealing a laptop is illegal, blackmailing or paying an employee into giving over corporate documents is illegal. But for example, it isn’t illegal if you can look over somebody’s shoulder and see what’s on their computer screen. This is a new twist This is buying intellectual property you know is stolen.
David: It’s going to be interesting to see how the intermediaries might develop around this new ecosystem. We’ve seen the rise of ransomware negotiation firms that help lower the cost of the initial ransom demand. How does this corporate stolen information potentially get laundered and washed by a third party? How do organizations who lean towards this thing shield themselves? What steps can disassociate themselves in the actual purchase of this information? How and where is this information going to get sold? And ultimately one of the biggest challenges for a company that’s been harmed by any of this is proving it. This is a new headache and I don’t think it’s one that companies have a good handle on, because one of the areas that we’re learning about in my space on the education and awareness side is data loss prevention (DLP). It’s in its infancy when we think about all the other problem sets that cyber and information security have been tackling — particularly things like phishing and malware or ransomware. DLP is one of those things that been driven mostly by privacy regulation. It hasn’t been driven by motivated threat actors monetizing to an extent. So I think this one’s going to hurt.
Howard: How many companies are going to go for this?
David: It’s impossible to say, but one thing I can say with absolute certainty: it’s not zero, because this has been something that companies have done before (industrial espionage). I think it’ll come down to jurisdiction as well. One of the biggest threat actors for intellectual property thefts has traditionally been nation-states — generally to give themselves an economic advantage … Now we have a commercial criminal group that’s then looking to sell data to others. I think we’re going to see a need for law enforcement to take this more seriously. I think some jurisdictions, like the United States, will get better resourced because of how they’re handling cyber. In Canada, I can’t see a single police agency getting excited about investigating corporate espionage.
Howard: Maybe I should ask the question in a different way. How many companies in western countries where they have some tough law enforcement will go for this?
David: I absolutely think there will be there will be companies in the western hemisphere that take this chance. The possibility of being caught is going to depend on the value of the data. Are they going to roll the dice on this to get a customer list? No. But are they going to do it to potentially get access to intellectual property? I’m thinking specifically about patent poisoning. Imagine you find out that one of your key competitors has got a killer technological innovation that they haven’t been able to get patented yet. You’re able to burn that before it can get to the patent office by [buying a stolen copy and] making it public. So you’re not going to get caught using the actual stolen information in your products.
Howard: Here’s a theoretical question: A company gets caught their defense is employee John Smith was the one who bought this particular document. It wasn’t us. We had no knowledge of this.
David: That goes back to my point about the use of intermediaries and the ability to have plausible deniability …
Howard: One other thing. The criminal says, ‘I’ve got this document and it’s the design for the widget that your firm is competing against.’ How can I trust the value of what I’m going to be buying? These are crooks, after all.
David: It’s a legitimate question, but given the number of companies that have paid extortion fees to get back their stolen data not knowing if the criminals honored the deal and deleted the data they held, that trust has worked. In fact, the ransomware industry has kind of normalized it: You trust that they’re going to give you the decryption keys in exchange for payment. I think it’s all going to depend on the temptation of the data … I think there’ll be a huge market for buying and selling that corporate information for manipulating stock trades I think there’ll be a huge market for really good patents, like the detailed engineering specs drawings and maybe some sweet sweet battery tech for the Apple car. So it’s never been more important for a company to know what your crown jewels are.
Howard: Let’s turn to the Google blog this week on zero-day vulnerabilities. There’s good news and bad news. First, as a reminder to listeners, what’s a zero-day vulnerability.
David: It’s one that no one knew was happening, and criminals could have exploited it but the patch came out first. Think about these as being million-dollar-plus value tools. The more of these that we can find and stamp out before there are catastrophes the better off we all are.
…I don’t believe that this report [ that 58 zero day vulnerabilities were found in 2021, double the number from the year before] represents a massive decrease per se in the quality of software. I do think it’s important to acknowledge the human toll of the pandemic on software quality. 0-days existed way before the surge that we’re seeing. We are always going to have vulnerabilities in software as long as it’s made by human beings. But I also think it’s important to acknowledge that for two years we have been operating under the most extraordinary circumstances and that applies to developers and others. So the increase may also be a lagging indicator of the human cost of the pandemic.
Howard: The good news is Google doesn’t think this represents an increase in the bad quality of software coding. It’s just that we’re able to see and find them better. Would you agree with that assessment?
David: Yes, we are getting better at spotting vulnerabilities and creating the right incentives for people to ethically report them. We’ve seen this massive increase in ethical hacking and bug bounty programs. I don’t think that’s all of the story, though, because that ignores the fact that software is made by humans. We are always going to see the reflection of their flaws in anything we create because we just didn’t have time to think about things the pressure that’s been on development teams to work remotely, to co-ordinate things. It’s an extraordinary time and I think that does play a role. It’s also important that tech companies, particularly tech companies in Canada, need to think about as we come out of the pandemic into the new normal: Establishing new ways of working back together so our workforce is healthy and happy and how that reflects in the quality of our code, not just hitting development milestones.
Howard: Let’s go a little deeper into this report. It says 12 of the 58 zero-days that were found would not have been included in this year’s list if Apple and Google had not begun to be transparent in annotating their security advisories.
David: I think that that is a very positive step. Apple had a very tough year last year when it comes to iOS zerp days. There was a lot of healthy attention paid to the Apple ecosystem, and I think just like how similar attention spurred Microsoft to adopt a whole new position on security 20 years ago. This pressure is forcing companies along a similar positive trajectory that they’re realizing that transparency builds trust. And if they’re the company that’s building their brand around privacy and security that is built on the foundation of trust and that requires transparency. Hopefully this continues.
Howard: Fourteen of the bugs came from Google in its Chrome browser or Chromium OS. Seven were in Android, seven were in Apple’s WebKit, which is part of the Safari browser, five were in iPS, one of them was in the mac os. And then there’s Microsoft stuff: there’s were 10 in Windows, four in Microsoft’s Internet Explorer, five in Exchange Server. What does this say about the state of software coding by some of the world’s biggest software developers?
David: A couple of different things. I don’t think necessarily about the counts for the software quality because I think it becomes how are attackers thinking about the best ways into a company? Of course, last year Exchange and the Hafnium attacks were all the rage. The interesting thing about the Exchange attacks is how does this play into business strategy? Because Microsoft wants to kill on-prem Exchange. It doesn’t make nearly the money that hosted Office 365 does, so how does that [vulnerabilities in Exchange ] play to Microsoft’s strengths and their business strategy?
Howard: Finally there was the in-depth report on the PYSA ransomware group. It’s called one of the most advanced ransomware groups around. It’s known for carefully researching high-value targets like government agencies, educational institutions and the health care system. This is not a group that sprays around email phishing lures and then goes after whoever falls for it. They hit these high-value targets that have sensitive data, squeeze them and they get large ransoms as a result. First, arguably ransomware is ransomware. You get hit, you got to bounce back. So what’s the importance of a report like this, which essentially helps you know your enemy?
David: I think we’re entering a new generation with ransomware and I think we can delineate by calling them ‘Ransomware gang gen one,’ and ‘Ransomware gang gen 2.’ Because of an intense period of law enforcement action taking down a variety of different groups we’re going to see a cleaning out of the rough groups that had low trust. that had affiliates that didn’t have good operational security. That’s good the good news. The bad news is the industry that emerges is going to look more like PYSA: Professional, thoughtful, deliberate, well-resourced. These folks go to work. They’ve got benefits. They have HR. They have business goals and they have all the discipline that is lacking in many organizations on the security side. We talk about the need to look at people, process and culture in cyber and to resource those things adequately to protect your business. Companies doing that do the things that you need to do. Because you haven’t crooks can monetize your lack of action. This is what ransomware gangs are going to look like. You know, in our previous segment we were just talking about zero-days with our discovery of zero-day vulnerabilities at a faster and better pace. That means when these [threat] groups have really sweet exploits to build on they have to use them more sparingly and more in a more targeted fashion. They’re going to do their homework. And I think it’s really important for companies to do their homework on these groups.
Howard: The report notes that ransomware gangs like PYSA use a double extortion attack against victims, where the victim’s data is both exfiltrated and encrypted. The report says almost 58 per cent of this group’s victims paid the ransom. That shows on the one hand they’re pretty effective. But on the other hand doesn’t that show that there’s an awful lot of companies that aren’t prepared for cyber attacks, let alone Ransomware attacks?
David: You’re absolutely right. The majority of organizations in Canada continue to pay, and they continue to pay for a variety of different reasons — because they think the economics make the most sense, because they think that this is the only option that they have, because they didn’t have a robust backup strategy in place that they regularly test and can recover from. In some ways ransomware is the bill that comes due for technology and IT process debt. Organizations that don’t get that will keep end up having to pay. It’s really important to stress the technical debt in our industry. We talk about it, but maybe we need to better account for it when we think about organizational financial statements. Maybe that’s one of the missing links, in terms of boardroom and finance conversations. Maybe it’s also about the skillsets around the boardroom when it thinks about the financial costs and values of cyber …
It’s interesting. We’re coming up to I think 20 years of the U.S. Sarbanes-Oxley Act [which mandates more corporate transparency], and I saw a recent report talking about how the U.S. Securities and Exchange Commission might require boards to demonstrate that a director or directors actually know what the hell they’re talking about in cyber … which is stunning. In the past boards didn’t always have someone who could read financial statements. I think the same lack of literacy exists today with understanding technical debt and business vulnerability and reliance on technology. It’s why I constantly get so angry and frustrated when I see yet another vendor report saying, ‘Cybersecurity is now at the board table.’ If it was at the board table you would not see the percentage of payment of ransomware that you’re seeing today.
Howard: You talked about the importance of companies having backup as a defense against ransomware. But one of the problems is if the ransomware group has stolen unencrypted data and the threat is they’ll sell that data or make it public and really embarrass you to your customers to your partners. So isn’t it just as important for organizations to encrypt their data in addition to having backups?
David: One hundred percent. But I would say it’s really important first is to know what data you have. Tt would shock most people and most organizations if they actually properly mapped out all the data they collect, how they’re using it, what they stored for and how long they’re keeping it. You can reduce your burden first of all by just keeping your data clean. Then the computational costs, the storage costs, the security costs, the encryption cost to protect the data are reduced. I think it’s really easy for people to say, ‘Okay, we’re just going to encrypt everything.’ … It’s not like just flipping a switch and you can turn encryption on. It’s far more complicated. Which is why healthcare systems haven’t done it.
Howard: Coincidentally, a separate report out this week from another company saying almost half of the organizations surveyed have a digital wallet — the implication being that they’re ready just in case they have to buy digital currency to make a ransomware payment. The implication is a lot of firms aren’t confident they’re prepared for a ransomware attack.
David. No. They don’t want to spend the money to be proactive. They would rather put the money in the wallet and roll the dice because as humans we’re terrible at assessing risk. We’re absolutely awful about that. We always think that the bad thing is something that happens to somebody else, and if this bad thing happens we’ve got the wallet. But my God the pain and suffering that is caused to customers and businesses because of our lack of foresight and lack of proactive nature. This is where we get back to the when the market doesn’t make the right moves itself this is where government has to step in and close that with regulations.