Welcome to Cyber Security Today. This is the Week in Review editor for the week ending Friday, September 10th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
In a few minutes guest commentator Terry Cutler of Montreal’s Cyology Labs will be with me to talk about ransomware news. But first a brief look back at some of what happened in the past seven days:
A new criminal hacking group has appeared, claiming to have stolen data from firms in a number of countries including Canada and the U.S. CoomingProject alleges its Canadian victims are a horse-breeding association and a women’s fashionware business.
The REvil ransomware group may be back. The Bleeping Computer news service reports the gang’s dark web servers have suddenly turned back on after an almost two-month absence. Those servers were shut after the attack on Kaseya’s VSA remote management infrastructure over the summer. It saw about 1,500 managed service provider users of Kaseya hit by ransomware. After that attack REvil’s servers went dark The report adds that it is unclear if the gang is back or its servers being turned on by law enforcement. This is one of the incidents Terry and I will discuss.
Another is a panel on ransomware I covered this week. One of the speakers insisted ransomware is a solvable problem. Ransomware usually attacks a set number of weaknesses in security controls, he argued. What IT security teams have to do is figure out which of those weaknesses are present in their organizations. Terry and I will discuss these and other recommendations.
Administrators of Fortinet FortiGate virtual private network devices should consider resetting their users’ passwords. This comes after the leak this week of what is said to be almost half a million login credentials to FortiGate VPNs. The user names and passwords were stolen last year by exploiting an unpatched vulnerability dating back to 2018. Those devices may have been patched since last year. However, the credentials might still be valid and usable. Fortinet says a password reset should have been done after the update was installed. It isn’t known why a threat actor would give away the list of credentials.
A Ukrainian man who allegedly controlled a botnet to run brute-force login attacks on computers was extradited this week to the U.S. from Poland. The 28-year-old man sold decrypted logins on a dark website. He faces charges of conspiracy, trafficking in unauthorized access devices and trafficking in computer passwords.
Finally, the chief executive of Atlassian is defending his company’s response to a vulnerability found in the on-premise version of company’s Confluence collaboration server. A patch was available by August 15th and security bulletins from many sources were issued 10 days later. Attackers have been trying to exploit the vulnerability since September 1st. But this week one security company said hundreds of installations are still being targeted.
(The following is an edited transcript of my conversation with Terry Cutler. To the full talk play the podcast.)
HOWARD: Once again there was a lot about ransomware in the news. First, I want to look at the report about REvil being back. Allegedly it went quiet after the Kaseya attack caused the United States to warn Russia about threat groups based there. But this week it was reported the gang’s data leak site is back up, although nothing new has been posted. Terry, what do you make of this?
Terry: Well, it’s still a coin toss between did they get their service back up themselves or as law enforcement involved? My guess is that law enforcement is somehow behind it. Since the site’s been down for almost two months now, maybe they want to see who’s trying to connect to the site and check in? So by powering on these systems we will maybe attribute who’s still involved or connected or trying to connect.
Howard: And again, I noticed the gang doesn’t appear to be boasting that it’s hit new targets. Soit’s really difficult to make sense of this. Ransomware groups have been known to take a siesta from time to time, and then they come back perhaps with new code and strategies. Does matter if officially REvil is back?
Terry: Whenever these gangs disappear they kind of rebrand themselves. I think what’s happened here is that this probably the system got taken over by law enforcement and they’re just trying to like add some additional pieces to their cases, or trying to help additional victims who maybe still haven’t gotten their data back.
Howard: But whose law enforcement? The United States or Russia?
Terry: That’s the million-dollar question. I think Russia handed them over as [a sign of] good faith, but I think the U.S. has control of it.
Howard: There was also a report that in an effort to further squeeze victims, the RagnarLocker group has warned victim organizations that it won’t hold back releasing stolen data if a firm contacts, police, or cybersecurity negotiators. Usually a ransomware groups set a deadline of a few days before releasing data, giving victim firms time to negotiate. But this group says if you call for help the data that they’re holding is going to be instantly released either to the public or other crooks. What do you think is going on here?
Terry: That’s an interesting concept because these gangs want to lay low from law enforcement. But I think by doing these tactics they’re going to shine more light on themselves because if they start leaking really sensitive information there’s gonna be retaliation from law enforcement … So they’re going to leak it anyway. It’s basically pay up, don’t tell anybody and we’ll take care of you. But then again, even if you pay it, there’s still no guarantee you’re going to get the decryption keys.
Howard: This particular gang is trying to increase the pressure on getting paid and they know very well that if a victim organization calls a cyber security firm that’s experienced in negotiating they’ll try to negotiate down the payment. This group says to heck with that, we’re gonna squeeze you even more.
Terry: But what’s interesting is if they release that data, they’re not going to get paid anyway. I think it’s an empty threat for sure, because if they’re gonna leak the data then what?
Howard: As I said earlier this week, I covered a panel discussion on ransomware where speakers made a few points. And one of them was that ransomware is a solvable problem. If IT teams look carefully at the vulnerable points in their organization ransomware can be defeated. Some think all you need is having good backups and patching software. But f IT teams get really disciplined, they can put a dent in ransomware attacks. Where are you on this?
Terry: If it was that easy it’d be done. There’s a lot of valid points in those conversations. And I think the biggest problem is that most organizations don’t know where to get started. They don’t even know most of the time what systems they have online. They don’t know what vulnerabilities exist to because all they have in-house is maybe an IT guy who’s not experienced in cybersecurity. Or they don’t have the proper detection technology in place to uncover a cyber attack happening at the moment. And they don’t have a response plan to get the attacker out. There’s a lot of moving parts in here, and there’s not one person that can do it all. So it’s important to have proper budget in place to be able to bring in outside help that can complement the existing in-house cybersecurity team.
Howard: It’s certainly true that a lot of cybersecurity experts say for any kind of attack, whether it be ransomware or strict data theft or whatever, you’ve got to start with the basics and the basics: Do you have an inventory of your hardware? Do you have an inventory of your software? Do you know what the patching regime is? Are they kept up to date? Are they properly configured? And then of course there’s do you know where your sensitive data is in which servers?
Terry: I spoke about this at MapleSec last year, where the IT department didn’t have an idea where the software installation CDs were, or the [software] install packages were, or they didn’t have a list of their installation keys, they didn’t know what machines they had online because they inherited the environment from another group a year before. Their job was just to maintain the environment, but they were completely unprepared for a ransomware attack, which knocked them offline for almost two weeks. Asset inventory is the number one key right now. How do you know what to protect if you don’t know what you’re protecting?
[Editor’s note: This year’s MapleSec virtual conference runs October 5-7.]
Howard: Another speaker on this panel made the point that IT teams are wasting time trying to secure everything as opposed to being more strategic in terms of what should be protected. Do you agree?
Terry: I do. It’s [about] protecting the crown jewels. If you have very sensitive intellectual property or very sensitive database that needs to be protected, you gotta put all the firepower on this. Also, endpoint detection and response technology, log monitoring, somebody that’s going to be on call if there’s if there’s an emergency. A lot of companies aren’t doing that, they’re just trying to patch all their software and install antivirus software.
Howard: There was also an interesting report this week from an Israeli cyber security firm that did an analysis of discussion threads on a criminal hacking forum to figure out what kinds of organizations ransomware attackers are looking to hit. And one of the things I noted was almost half of those who were participating in these particular threads said that they didn’t want to buy stolen access to companies that were either in the healthcare or education industries. Others were avoiding governments and nonprofit organizations. One of the things that occurred to me was these groups are trying to avoid controversial targets that might attract police.
Terry: It’s an interesting concept now. Yes, they want to avoid educational firms because these guys usually don’t have money, so they’re not going to pay. And they want to avoid government and law enforcement agencies, obviously, because they don’t want to have the heat on them. So they’re targeting all the companies that earn over a hundred million dollars that have RDP or VPN products that are enabled, and they’re willing to pay as low as a hundred dollars to a hundred thousand dollars for proven access into the environment.
Howard: Did you get anything in the analysis that would help defenders, or do you think that this was too small a group of threads to get any sort of a sense of information?
Terry: If you’re not in healthcare government or education, you’re on the target list. … You’ve to get to a zero trust [cybersecurity] model where everything’s being logged, everything’s being locked down with minimal .
Howard: One of the things that I to took away from was that while some people who were participating in these threads said they didn’t want to particularly attack the education sector, I noticed this week Howard University in the United States admitted that it was the victim of a ransomware attack and has had to take some systems online. So it’s not necessarily a hard and fast rule that if you’re in the education sector you won’t be hit.
Terry: I can’t believe they [attackers] would lie, Howard. I can’t believe it
Howard: One other thing that caught my eye this week: Microsoft published a column on three steps to prevent and recover from ransomware. They were in order
— plan for the worst, by having a recovery plan, to get back to business without paying the ransom. And that of course means among other things, having tested backups, having a tested recovery plan,
— protect the logins of people who have privileged access to data like IT administrators. And this means using multifactor, making sure those people at the very least have multi-factor authentications on their logins.
— make it harder for any intruder to break in by tightening access in general to your networks and implementing intrusion detection controls.
Terry: The moral of the story here is that there’s no silver bullet to stop a cyber criminal from getting into your environment. The key is to make it as difficult as possible from the get-go. In the first part, prepare for your recovery. It’s not a case of if, but when, you’re going to hit get hit with ransomware. You want to make sure that your, your disaster recovery plan is sound: Who do you call when this happens? Make sure all the software is properly indexed and organized and ready to go [for re-installation] in case of a disaster. And plans should be tested, because a lot of times we’ll see a company that has let’s say two network-attached storage systems that are side by side. If ever there was a ransomware attack one of them gets encrypted and the other one will just take over for it. But we found out that because the network was misconfigured that both would get attacked at the same time, which means your data would be encrypted on both storage devices. In the second step, protecting privileged access, this is key.
In fact, you want to have to MFA on everywhere because with all these data breaches happening right now, there’s a lot of credential stuffing attacks happening where the passwords are being reused. So the whole thing is, you know, make sure you have a technology in place that’ll help make it as hard and difficult for the attacker to get in as possible.
You mentioned make sure there are log controls. We see a lot of log management technology in place, but nobody’s looking at the screens — they’re just collecting event data. And then they realized they had a cyber attack. They’re like, ‘Oh yeah, yeah, this is, this happened seven months ago.’ But nobody was looking at the screen [to see a possible warning.]