Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, January 7th, 2022. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
I’ll be joined in a few minutes by Terry Cutler, the head of Montreal’s Cyology Labs, to discuss some of the week’s top stories. But first a recap of the news from the past seven days:
The Karakurt data-stealing gang is going strong. Just as the year ended it named 11 American and Canadian organizations it had hacked. It demanded bitcoin or the companies would be embarrassed by the public release of stolen data. Terry and I will discuss attacks on small and mid-sized companies.
We’ll also look at a report by New York State into the widespread use of credentials stuffing by threat actors, and the promise by the U.S. Federal Trade Commission to go after companies operating in the United States that don’t act fast enough to close holes left by the Apache log4j vulnerabilities.
Elsewhere, security researchers at Sygnia reported finding a new threat group that’s been stealing millions from financial institutions in Latin America. Often its initial way of breaking in is by targeting legacy Java applications running on Linux servers. Companies around the world should be on guard.
Another third-party supply chain cyberattack has been discovered, one that goes after real estate companies. Real estate websites often offer videos of properties for sale. But researchers at Palo Alto Networks say a gang compromised a cloud video hosting platform that some real estate companies use. The malware gets downloaded to the victims’ websites and then inserts JavaScript code that skims off sensitive information that real estate customers enter in online forms. That’s why this is called formjacking. Cloud application providers and website administrators have to watch for signs of compromise.
Finally, a California man this week admitted to conspiring to commit wire and securities fraud for his role in a $50 million internet-enabled investment fraud scheme. The man and others created 150 fraudulent websites to convince people to buy certificates of deposit with high average rates of return. Some of the websites closely resembled sites of real financial institutions, real enough to fool at least 70 people. The man will be sentenced in May.
(The following is an edited version of a discussion. To hear the full conversation play the podcast)
Howard: Terry Cutler’s going to join us now. I want to start with my report about the Karakurt gang announcing 11 more victim organizations in the U.S. and Canada, including Montreal’s tourism agency and a heavy construction equipment manufacturer in Western Canada.
An Accenture report on the Karakurt group says it typically uses stolen or weak credentials to get into organizations — we’ll come back to this tactic in another story later in the podcast. But once again bad passwords and lack of multifactor authentication comes back to bite companies.
Terry: Unfortunately, we’ve talked about [needing] multifactor authentication for years. Passwords are really terrible. It’s hard to create strong passwords. People forget their passwords so they create weak ones. They’re leaking on the dark web and being reused. You need to have multifactor authentication in there to prove that it’s something that you have and it really is your account to be able to use it.
Howard: The Accenture report also talks about this gang’s tactic of “living off the land.”
Terry: “Living off the land” is when an attacker uses what’s at their disposal on the victim’s system, tools like Bitlocker that’s built into Windows, that bypass endpoint detection and response technologies. It’s very hard just to stop these types of attacks.
Howard: These are tools that are already in your IT environment, like PowerShell. Crooks use them instead of custom tools that may be detected because they’re unusual. They’ve just been they’ve been added by the crooks to the IT environment. They’re using things like PowerShell, and as you say, Bitlocker against yourself. So how do you defend against that?
Terry: How IT defends against that is very very difficult. You know we have to really look at a proper detection and response plan.
Howard: Certainly it’s going to help if you’re monitoring your network closely and you’re looking for signs of suspicious activity. You’re looking for suspicious use, for example, of PowerShell.
Terry: Right. So here’s a problem that we’re seeing when it comes to protecting your business: We all know to create a strong password, to turn on multifactor authentication, to not click on links you’re not supposed, to watch out for suspicious websites. You’ve got ransomware, viruses, worms, Trojan horses, botnets and zombies … I could totally relate as a business owner and not feel overwhelmed by all of these things to look for. Just look at ourselves as cyber security experts. I receive about 30 emails a day that talk about the latest vulnerabilities in different products and services. Even I have a hard time keeping up.
Howard: Looking at the list of recent alleged victims of the Karakurt gang, they can all be classified I think as small to medium size organizations. One is a digital marketing company, one makes custom bathrooms, one’s a Canadian first nation community, another is a Canadian data management consulting firm. We’ve talked before about the problems of small and medium-sized businesses. What are they doing wrong when it comes to cybersecurity?
Terry: A lot of the common feedback I hear is that cyber security or internet safety is not very interesting. They see no value because they feel they’re not a target. And there’s too much technobabble. The management team doesn’t understand what the technicians or IT guys are saying … They don’t realize that hackers are actually in their system for months or years prior to being detected. So the biggest theme that I’m seeing from these small and medium businesses is that they don’t know where to start.
A lot of times they’ve never had a cybersecurity audit, or never had one in years. They protect their IT networks like the one in their home. They think that because their management team, for example, is trained that if we have an antivirus, a firewall and encryption that we’re safe — but in reality we’re seeing that they have no [malware] detection in place, or a response plan to take action in case they find a cybercriminal in their system …
That’s my common theme: Let’s get an audit to see where you are today, and look at where you should be and where you need to be. These reports are going to show things like user accounts that are still active in a system for people that haven’t been with the company for months or years, problems with patch management, IoT devices that are on their network that might not be secured properly and could bypass all their security, terrible passwords, weird logins at odd times of the night. That’s list keeps repeating.
Howard: What’s your most persuasive argument to get SMBs to pay more attention to cyber security?
Terry: A lot of times I say, “Go talk to one of your peers.” Here’s a perfect example: We worked with a transport company. Another transport company got hacked. Our client saw that it cost them close to $300,000 in damages — everything from paying the ransom to getting IT staff on site to rebuilding their network … My last argument would be let me just run a free cybersecurity assessment on your network. If I don’t find anything then you’re good to go. And then they see that their IT guy hasn’t been telling them the whole picture.
Howard: Another big story this week was the release of a report by the New York State attorney general’s office into credential stuffing. For those who know that’s when cybercrooks stuff stolen usernames and passwords into login forms until one works. Tell us more about this investigation.
Terry: To bring this threat to the attention of the public the attorney general’s office stalked a bunch of criminal websites that were selling over 1 million stolen and tested usernames and passwords. They could be used against 17 well-known businesses like retailers, restaurant chains and also food delivery services. It’s critical because these attacks hadn’t been detected before. That’s why as I mentioned earlier it’s very important that we get security audits done because we can see these weird logins happening. A lot of these companies may not have continuous monitoring in place to find these types of attacks, or they’re not maybe protecting their privileged access accounts.
That’s why it’s very important to have technology in place that can detect if a user signed in one location and tries to sign in at the same time from another location — which would be suspicious. Technology would cut off the access and report it to the management team.
Howard: The report quotes a study that finds victim firms lose an average of $600,000 a year to credential stuffing, from lost customers, from application downtime and from increased IT costs. Tell us about some of the report’s recommendations on how you can lower the risk of being victimized.
Terry: Three recommendations are 1) have a bot detection service in place that detects credential stuffing, 2) turn on multifactor authentication, and 3) use password-less authentication — although I have a hard time with this. A lot of legacy applications can’t support that type of technology
Howard: The report says that one of the most effective safeguards is preventing customers from storing their credit card numbers in your organization. Businesses do that so customers don’t have to keep re-entering their data. But it also allows cyber crooks to use accounts they’ve hacked through credential stuffing. So it’s a best practice to require customers to re-enter a credit card number or security code when they’re buying a product. The report says it’s critically important that re-authentication be required for every method of payment that a business accepts.
Terry: That’s that’s key because when a cybercriminal breaches your computer system he could do things like extract all the passwords that are stored in the customer’s browser, and that includes credit card information. The problem that I see here is around the consumer space where they think it’s all about convenience. And when they have to re-enter their password all the time, re-enter their credit card stuff all the time they’re going to see this as a major hassle and they may not want to shop there anymore. There has to be a cultural change.
There report also talks about the importance of having a written incident response plan. This is a service that keeps us really, really busy because a lot of times a cyber criminal’s been in your business for months and years. Have no response plan to get them out or if there’s a ransom attack, organizations are just scrambling. They don’t know what services to bring back online first. They don’t know who to call. They think they’re going to call the police and they’re going to come in and save them. It’s just not going to happen. So they need to have proper procedures in place to know what steps to take to bring an IT environment back up as quickly as possible.
It will also help when you make a cyber insurance application.
Howard: Before I leave this story listeners should know that that New York state in addition to the report released a very handy and free business guide for credential stuffing attacks with valuable advice for blocking this kind of attack. And there’s a link to that report here.
Finally, I want to look at word that the U.S. Federal Trade Commission which is a consumer protection agency, says that it’s going to slap companies that aren’t patching for the Apache log4j2 vulnerabilities. In case you’ve forgotten, these newly-discovered vulnerabilities are in a wide range of applications that use it for logging capabilities. Organizations around the world are still searching their applications for possible use of log4j and they’re trying to stay ahead of threat actors by patching. But some aren’t patching fast enough. So the FTC trying to give American firms some encouragement by reminding them that the agency can act. My question to you, Terry, is should government agencies speak softly and carry a big stick? Or should they let the private sector handle cyber threats and cyber attacks?
Terry: I think we’re at a point where cyber security needs to be taken really seriously. But I feel businesses or business owners are only going to make a change once it’s put a hole in their wallets. I think governments should step in once an investigation has shown that companies have put very very little in place to prevent a data breach. I’ll give you an example: We had a firm that was really cheapo on cybersecurity, to the point where they even went on BitTorrent to get pirated copies of antivirus software. But they didn’t know that what they downloaded software had a back door in it and it and it took control of their their their customers’ information and all hell broke loose.
Howard: And one might expect that if you’re looking for free software some crook has already compromised it.
instead of the government being tough and maybe other parts of of the business sector should be tough. How about banks canceling loans or credit for companies that don’t meet certain cyber standards?
Terry: I have heard of businesses trying to qualify to work with a bank and get denied because their cyber security audit results are horrible. I’m also seeing more and more insurance firms actually canceling renewals of cyber coverage after a company’s been breached, or they’re actually refusing them because they don’t qualify.