Welcome to Cyber Security Today the Week In Review edition for the week ending Friday January 29th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
With me today to discuss the news is Terry Cutler of Cyology Labs. First, a look at the week’s highlights:
Cybersecurity experts are still stunned — and rejoicing — at news two of the biggest online criminal operations have at least temporarily been crushed by law enforcement agencies. Police in several countries seized the servers running the Emotet botnet, a distributor of hundreds of thousands of email-based malware a day. By one estimation Emotet was behind 30 per cent of all malware attacks.
And authorities in the U.S. and Bulgaria closed the web sites behind the distribution of the Netwalker ransomware. A Canadian has been charged in Florida with being one of those involved with Netwalker, allegedly receiving at least $27 million. Netwalker was one of the gangs that just before encrypting a victim organization’s computers would steal data and threaten to release it unless it was paid for the decryption key.
One of the latest email scams is targeting executives, aimed at getting their login credentials for Microsoft Office365. Beware of messages that say your password is about to expire and if you want to keep using the one you have click on the button ‘Keep Password.’ It’s a scam.
Remember the concern about the hack of SolarWinds Orion network management platform? Most of the public worry was around U.S. government systems that used infected versions of the software and how much information attackers may have got hold of. Well this week security vendor Kaspersky said there were other victims as well. About 32 per cent of organizations that downloaded the compromised software were industries, including manufacturing firms, utilities, energy companies, construction firms and transportation firms. They were in a number of countries including Canada and the U.S. So if your firm uses Orion, check if it has the version with the backdoor installed. Then look for indications your systems were compromised.
Companies continue to be hacked because they have lax network and information access control. That was the conclusion of security vendor Sophos after looking at some of its investigations. In one case hackers used the username and password of a company administrator who had died. In another case hackers created a fictional employee username and password to access data. It’s important to remove accounts of people who leave an organization, change access to those who shift positions and make sure new accounts relate to real employees. One of the first targets for attackers is the directory that holds user credentials.
As I said earlier, today’s guest analyst is Terry Cutler of Montreal’s Cyology Labs. We focused on the takedowns of the servers running the Emotet and Netwalker operations, so I started by asking what he thought when you heard the news.
“I was glad that finally action‘s been taken,” he said, … “but my feeling is that it’s like cutting off the head of a snake and it grows another three. This is like a quick little hiccup, a little bump in the road for these guys. And they’ll be back up and running in no time.”
We talked about the costs to organizations of being hit by ransomware. “I’ll quickly tell you a story of what happened with one of the customers that once got hit. You need to deploy EDR [endpoint detection and remediation] technology … the type of things to help contain the ransomware. But you also have to rebuild a completely different IT network. So as you rebuild the whole network, you have to sometimes open up a bridge from the old network to the new network to copy over the data. And we’ve seen cases where some endpoints got missed. So the EDR technology was not [effective]… and [the ransomware] re–infected the entire environment again. So we had to start all over.
“A lot of companies don’t realize that when they get hit with ransomware, you are down for at least a hundred hours. And there’s a good chance that your systems will still not be up and running after the breach has been cleaned up because some databases will get corrupted and you have to rebuild that. So it really is a nightmare to go through.”
Turning to the Emotet take-down, I noted that authorities in the Netherlands — who seized several Emotet command and control servers — were planning to release an update to the malware in late March that would disable Emotet on victims’ computers. However, first IT departments will have to scour their systems for evidence of compromise because the update only erases the original malware.
UPDATE: In an analysis published after this podcast was recorded Malwarebytes said the code deletion software has already been delivered, but it will be executed on victims’ computers on April 25, not March 25, as originally predicted.
“Finding that stuff is going to be more difficult because you can’t rely on traditional antivirus technology or maybe even EDR ,” Cutler said. “You have to start looking at the network level where you may have to install other technologies that sniffers that look at what communication is leaving your organization and see if there’s any beaconing happening. That requires a niche skill, which means you have to start looking at other firms that can help. So it’s, it’s a headache at the moment.”
To hear the full discussion, click on the arrow in the player at the top of the story.