Welcome to Cyber Security Today. This is the Week In Review edition for the week ending Friday November 5th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
In a few minutes Terry Cutler, head of Montreal’s Cyology Labs will join me to discuss issues raised by some of the news in the past seven days. But first a few of the highlights:
The province of Newfoundland and Labrador continues to struggle with the biggest cyber attack on Canada’s healthcare sector. Hospitals across two of the biggest chunks of the province are closed to all but emergency procedures, with doctors and nurses having to fill out paper forms. This is one of the incidents Terry and I will talk about.
Meanwhile the Toronto Transit Commission has almost completely recovered from a ransomware attack. The TTC hasn’t said yet how it was compromised.
It was an interesting week for ransomware gangs: The BlackMatter group posted a message saying that due to pressure from unnamed authorities they were closing shop. Was this related to the detention last week in Europe of a dozen alleged ransomware gang members? Was it related to reports that the U.S. and Russia are actually working together against cyber gangs? Terry has an opinion.
Meanwhile a cybercrook admitted he created a phony ransomware gang called Groove just to trip up security researchers and the press.
A Calgary real estate developer acknowledged being hit by ransomware. And a news report says ransomware was the cause of the Labour Party in the United Kingdom losing access to party data after a cyber attack on one of the IT companies it deals with.
More on ransomware: A report this week by Sophos is a reminder that unsupported and vulnerable software is still being used as a lever to get into exploited companies. A ransomware gang called Cring is exploiting old or unpatched products by Microsoft, Adobe and Fortinet. It’s another reminder to IT leaders that eliminating old and unsupported products is essential to effective cyber defence.
The U.S. has sanctioned two IT companies from Israel, one from Russia and one from Singapore. One of the Israeli firms is NSO Group, which sells spyware to foreign governments that has been used to target reporters, activists and embassy workers. The University of Toronto’s Citizen Lab has long complained about the use of NSO’s Pegasus spyware by some governments. Russian-based Positive Technologies is on the sanctions list for trafficking in cyber tools used to gain unauthorized access to IT systems.
Finally, the U.S. Cybersecurity and Infrastructure Security Agency has told non-military federal departments to get serious about cybersecurity. This week it issued an order telling departments and agencies to urgently patch serious hardware and software vulnerabilities being actively exploited. According to one news report, departments have as little as two weeks to install the latest patches.
(The following is an edited transcript. To hear the full discussion play the podcast)
Howard: I want to start with the cyber attack against the Newfoundland healthcare system. After five days, the province finally confirmed the IT outage was caused by a cyber attack. The minister of health didn’t want to talk publicly about the possible cause because attackers watch what victim organizations say in the media. However, as we recorded this discussion sources were telling CBC news that the attack is ransomware. It isn’t clear how much backup data was available. This is doctors in the province rely on for things like patient history, lab results, x-rays. In his initial PR press conference the health minister said the data center has ‘two brains’ and both of them seem to have been affected. “There are some capabilities that do exist,” he said. The backups at local levels exist. There were backups at the provincial level. So we’re not quite sure what’s going on there, but let me ask you this: What’s it like to go through a serious attack like this that forces almost all of an organization’s vital services offline.
Terry: It’s actually pretty terrible. In our experience with healthcare [in a different attack] we found there’s a lot of machines that are out of date. Nobody knows what’s actually on them. There’s data stored locally on there, backups are all over the place. There’s different IT departments, nobody knows where the software installation CDs are or the licensing keys. When something like this happens, they don’t even know where to begin. They don’t even know who to call and they’re forced to back to pen and paper. And they can’t really say much publicly either, because first of all, one, they have no idea how the attackers got in, what machines were compromised, what backdoors are still in there — and the investigation is still ongoing. When forensic copies of computers are taken by investigators it takes days and weeks to analyze the data. There’s a lot of answer unanswered questions.
Howard: The situation that you described , I hope, is a worst case scenario where, as you say things that the IT department doesn’t know — where the software keys and things like that are. And certainly one lesson from any cyber attack is you’ve got to be prepared beforehand. You’ve got to have an inventory of all your hardware and inventory of all, all of your software, so that when an attack strikes you’re not completely unprepared.
Terry: And of course there’s a lot of turnover in healthcare in IT — they’re either brewing promoted or they’re leaving. Many healthcare institutions don’t have the budget to install advanced technology like EDR (endpoint detection and response). Here’s a perfect example. So in a case that we had in healthcare, one of the hospitals was affected. Then the attackers started to attack another hospital within the same backbone of the IT network. And the second hospital didn’t know where it was coming in from.
One thing that hospitals systems can do is have a network taps that looks at all the [network] communications leaving the infrastructure, and it compare it the known IP addresses of threat actors, so you can actually to see if any of these hosts may have a beacon installed on them or have any weird anomalies that the systems are talking to. Why are these 15 computers have 15 bytes of data talking to the same IP address every 15 minutes and three seconds? That’s how you would know if there’s still a backdoor in the network.
Howard: And unfortunately, from an attacker’s point of view a healthcare system is a great target because it’s publicly visible –lots of people need to access hospitals. And ransomware puts pressure on governments to pay up so the IT system can get back to normal operations as soon as possible.
Terry: Depending on the amount sometimes it could be cheaper for healthcare to pay that ransom note than it would be to re-install the environment and get their data back because they don’t know what backups they have.
Howard: Is that true? That may have been true a year ago, but with ransomware attacks against critical infrastructure gaining so much attention these days do you have any sense that the backbone of governments is stiffening and and perhaps they’re they’re less likely to pay up?
Terry: I think we’re starting to see some things happening right now, but it’s still very costly to investigate these attacks. Because who’s going to pay for the bill? Some of these investigations could be hundreds of thousands of dollars to do.
Howard: And this case (Newfoundland) the taxpayer’s going to pay.
….
Howard: Let’s move to the report about the BlackMatter ransomware gang going down. What do you make of that?
Terry: I think it’s another rebranding attempt. For those listening that don’t know, BlackMatter is a group that operates ransomware-as-a-service. Its affiliates can use their service to launch attacks. The service has support capability, support tickets, and can receive new ransomware updates and builds as they come out. What’s interesting is that the gang said due to certain unsolvable circumstances associated with pressure from authorities the team is no longer available. Which I found interesting because days before 12 people were arrested in Ukraine and Switzerland.
What’s going to be interesting is if law enforcement have taken over the group and taken over the gang’s databases and such, they’re going to be able to see who the buyers are. And this is where they’re going to work with telecommunication companies to track down their IP addresses are, where they’re coming from. And I expect to see more arrests coming.
…
Howard: The, the last thing I want to take a look at is a report from Microsoft reporting that there’s been a rise in password spraying in the past year. For those who don’t know, password spray attacks are authentication attacks that employ a large list of usernames. They get paired with common passwords in an attempt to guess the correct combination and breaking into login accounts. A spraying attack is different from a brute force attack, which involves attackers using a custom dictionary or a word list. What can I T departments do to foil password spraying?
Terry: A couple of things. Obviously the first one is make sure you train all the users. So cybesecurity awareness training is going to be key . So is enabling two-factors authentication, because what we’re seeing is that a lot of people are re-using the same password online. And if that the password is weak and gets hacked, attackers are going be able to reuse this information to try and log in.
It’s important that IT do an audit to see what services are running and maybe what has the default password set up. But you know, of all this, I think the two factors that vacation is going to be is going to be the most important piece here.
Howard: People who have access to sensitive data like IT administrators, domain administrators, perhaps people in the finance department and executives may need to also have security keys, which is like a USB a memory fob that you plug into the computer in order to confirm your access. So that even if the attacker has it, your username and password, if they don’t have the physical key the system won’t lie, won’t log them in.
Terry: This is where the privileged account management come in. So if you have this type of technology it’s really going to serve you well.