Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, February 2nd, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes David Shipley of Beauceron Security will be here to discuss recent news.
That includes more revelations from 23andMe and from Microsoft about their recent data breaches; the Canadian government investigating a hack at Global Affairs, this country’s foreign service; the FBI’s testimony before Congress on the cyber threat from China; Canada’s proposed cybersecurity law for critical infrastructure providers and the $27 million cost to Johnson Controls of a ransomware attack.
Also in the news in the past seven days, administrators of Ivanti Connect Secure VPN and Policy Secure gateways were told of the discovery of two new vulnerabilities they have to take action on.
A cyberattack against Fulton County, which includes the city of Atlanta, forced the temporary closing of some government IT systems. That included phone lines, the ability to file documents online with the court system, paying property taxes, accessing property records used for buying and selling land, the ability to pay water bills online and more. The county continues to work on restoring services.
Meanwhile one or more students at an innovation academy accessed the school district’s IT system without authorization. This is unconnected to the attack on the county.
Three Americans were charged with stealing more than US$400 million in a 2022 SIM-swapping attack. Security reporter Brian Krebs believes the funds were stolen from the now-defunct FTX cryptocurrency exchange.
Linux administrators and application developers were warned to make sure they’re running the latest version of the operating system. That’s because researchers at Qualys discovered four vulnerabilities.
The AlphV/BlackCat ransomware gang is trying to stay alive after the FBI took its infrastructure down in December. It may now be lying about successful attacks to get headlines — and possibly to trick victims into paying. That’s according to a researcher at RedSense. He told the news site Dark Reading this week that while AlphV claimed an attack on a defence contractor, but other than a few screen shots there’s no evidence the company was compromised.
And Juniper Networks released updates to fix high-severity vulnerabilities in its SRX and EX series firewalls.
(The following is an edited transcript of the first of the discussion topics. To hear the full conversation play the podcast)
Howard: Topic one: Timing is everything: The genetic testing service 23andMe gave new details about its huge data breach last week, and the Canadian government admitted the IT network of its foreign affairs department was hacked.
What do these incidents have in common? It took a while for them to be detected. In the case of 23andMe, hackers were in its system for five months. In the case of Global Affairs, the attacker was in the system for a month before detection. David, what does this say?
David Shipley: First, this kind of presence for that length of time is to the right of the median dwell time for cyber attacks, as measured in reports by Mandiant. Dwell time is the time criminals are in a network before either attacking with things like ransomware or being discovered by defenders. Dwell times have generally been trending down from 21 days in 2021 to eight to 10 days in 2022. Keep in mind median is one measurement. It’s not necessarily average. Average can be skewed by folks to the left or right of the median, so it’s really interesting. These attacks should have been caught sooner. I suspect if attacks were using normal tools in the 23andMe case that are regularly present in the IT environment — what we regularly call living-off-the-land — it’s going to be hard to spot unless the company has a very, very good monitoring program. And again, in the case of 23andMe, given that this was using a multitude of breached user accounts unless they were watching for logins from geographies outside of the private country of the user they’d likely have no clue what was happening — other than potentially looking for failed login attack patterns.
In the case of Global Affairs, I am deeply, deeply interested in learning more about what the VPN tool the government referenced as being an integral part of the breach. Was this a zero-day vulnerability or was it a more routine misconfiguration? Was this a known vulnerability? If so, why wasn’t it patched? I can’t imagine December 20th [when the hack reportedly started] was a great time for the IT team there [at Shared Services Canada] to be doing anything. I really hope we get more transparency from the federal government on what happened, how it happened and lessons learned. If they were using a commercial vendor product, this could be beneficial for many other organizations to learn from.
Howard: I thought that detection is one of the prime parts of a cyber security strategy.
David: It is, but it’s certainly not the only part of of a strategy. And you know, people’s perception of what detection actually is capable of doing, what catching something that’s abnormal when it looks and walks and talks everything that’s normal because you know … Stop and step back for second. Global Affairs will have logins from countries around the world. That’s where staff are. That’s where their embassies are, working remotely from internet service networks associated with those various countries. So a lot of the easy ways that people might detect things get a lot harder. It’s tough, but they do have some really really good tooling. So what I’m hoping is that we learn more about who the attackers were.
Howard: Well, 23andMe didn’t know about the incident until the hackers advertised that they had stolen data.
David: This wins the award for the worst possible way you can learn about a breach.
Howard; This was the second hack at Canada’s Department of Global Affairs in two years. Does that say something about government security?
David: I’ll use a hockey analogy: First shots on goal on the federal government are astronomical, Everybody’s trying to get into the net, so they’re never going to be perfect defenders. They’re too big of a target for too many players who have the money and patience to keep taking shots until they score. Second, we really need the government to come out and give us a sense of whether this was regular cybercrime, which would be disappointing to see get past its defenses, or another nation-state which frankly is much more understandable. It’s what we do to other countries. This is exactly the kind of target our intelligence agencies would be going for. It’s part of the great game and frankly, it’s fair game in spying This is what I would expect but I would like to understand the context.
Howard: Well, the Canadian government hasn’t given details about how Global Affairs was hacked two years ago. You know, silence isn’t golden.
David: It’s incredibly frustrating. We need the federal government to follow the leadership that some of the provinces like Nova Scotia have displayed. They did a great job being transparent and accountable during the MoveIT breach. And we need the federal government to lead by example, particularly in a time when they’re going to be passing legislation that will force others to provide it with information about their cyber incidents. It should do the same as a measure of good faith.
…… ….
Howard: Topic 6: American cyber leaders rip China.
In testimony on Wednesday before Congress, FBI director Christopher Wray complained China is attempting to preposition malware on the IT systems of U.S. critical infrastructure providers to strike whenever it wants. He also said the FBI had, with a court order, disrupted a [Chinese] botnet of hijacked American routers whose goal was to spread malware. That botnet was created by the group that security researchers call Volt Typhoon. The congressional committee also heard complaints about China from the Director of the Department of Homeland Security, the Cyber Security and Infrastructure Security Agency and the commander of U.S. Cyber Command. How likely is it that this saber-rattling will affect China’s cyber strategy?
David: I don’t think it’s going to affect it a whit. I think we also need to recognize the Americans are doing this to China, they were doing it to Russia. You’d be insane as a modern country to not be trying to get a foothold in these things as part of a holistic conflict strategy that might involve a proportional response. You know — you get hacked, the power grid goes down in Cincinnati and maybe you turn power off in Shanghai as a proportional response, versus let’s go straight to World War III. This is the Great Game. I find the timing fascinating, and the reason I say that is I was reading CNN earlier this week and we had President Biden and President Xi saying China’s agreed not to do election interference.
By the way, President Biden, free advice: Canada signed a nonaggression treaty with China back in the day under Prime Minister Trudeau about cyber after they raided our cookie jar and they didn’t keep their end of the bargain. So keep your election non-interference receipt with a big grain of salt.
Howard: This bot was composed of home office routers from Cisco Systems and Netgear that are no longer able to get or qualify for security updates. Once again old equipment is a security risk.
David: This goes back to something we were talking about in 2023 which had to do with internet of things regulation in security, reasonable lifespans for equipment and reasonable expectations for customers to keep them secure. Maybe we have to get to the point of saying, ‘As a responsible maker of technologies that can have a dual purpose — that is, they can be a great home router but also can become part of a zombie bot army used by the Chinese to shut down the power in Cincinnati — you have to keep these things patched and updated for 10 years. These patches have to flow through, ideally by default, automatically. Two things: People who are busy moving their regular lives aren’t trying to be cyber security network engineers at home. And that at the end of an equipment’s life you actually have to make it stop working when when there’s a reasonable notice period. ‘This thing is going to be out of security in 12 months and we’ve notified you and at the end of that 12 months it’s not going to be able to connect to the internet anymore.’ Maybe that’s the solution for home internet routers so they can’t be a threat to national security.