Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, August 18th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes David Shipley of New Brunswicks’ Beauceron Security will be here to discuss recent news. But first a quick look at some of what happened in the past seven days:
The U.S. Cyber Safety Review Board released a critical report examing why the Lapsus$ extortion gang had so much success. One reason: IT departments that mandated the use of multifactor authentication allowed the use of SMS text services for the delivery of second-factor codes instead of using phishing-resistant 2FA. David has some criticism of the report.
We’ll also look at a ransomware attack on a Canadian not-for-profit, the discovery by Ford of a WiFi vulnerability in some cars’ infotainment systems, and whether governments should mandate minimum cybersecurity standards for internet-connected consumer devices.
Also in the news, more victims of the exploited vulnerability in the MOVEit file transfer application are coming forward. This week they included First National Bank of Omaha, which said data of just under 3,000 people held by Pension Benefits Information was copied when PBI was hacked in May. PBI provides benefits audit and address services for the bank and many other organizations. A number of them are notifying their customers, employees or former employees their data was compromised when PBI’s MOVEit server was hacked. Companies in the past seven days that revealed they were also hit through similar third party MOVE-it hacks include Glacier BanCorp of Montana, insurer New York Life and Banco Popular de Puerto Rico.
Over 14,000 clients of a Milford, Connecticut law firm are being notified of a January data breach. They are being notified now because the investigation into the incident at the Carter Mario firm ended on July 20th. The regulatory notice filed with the Maine attorney general’s office says the cause was an external hack. There were no further details. Data stolen included names, driver’s license number or identification card numbers.
Cleaning products manufacturer Clorox says it had to take some of its IT systems offline this week because of a cyber attack. The company didn’t say if any data had been stolen.
A gang is exploiting unpatched instances of GitHub to install cryptomining and proxyjacking scripts on severs. That’s according to researchers at Sysdig. The attack uses several evasion techniques but the bottom line is it can be stopped by running the latest version of GitHub or installing a patch that was issued two years ago.
Finally, Google released a proposed public security key scheme that will resist being cracked by a quantum computer. While quantum attacks are in the distant future, organizations have to start getting ready now, before quantum computers are widely available.
(The following is an edited transcript of the first of four topics we discussed. To hear the full conversation play the podcast)
Howard: Joining me now from Fredericton, New Brunswick is David Shipley. I’ll start with the report of the U.S. Cyber Safety Review Board into why hacks by the Lapsus$ extortion gang were so successful. In short, it was a polite skewering of IT and security teams. The board is a group of experts appointed by the U.S. Cybersecurity and Infrastructure Security Agency that investigates and publicly reports on significant cyber incidents. In its report last week it said the Lapsus$ gang made clear just how easy it was for its members — some of whom were juveniles — to infiltrate well-defended organizations. In particular, “the Board saw a collective failure across organizations to account for the risks associated with using text messaging and voice calls for multi-factor authentication.”
What the gang did in many cases was bypass multifactor authentication sent over SMS text in a number of ways, including paying for credentials and tokens on the dark web; paying employees for access to credentials and convincing support staff at wireless carriers to switch smartphones of targeted employees to phones the gang-controlled so they could get the MFA codes.
As I wrote in my story, it seemed like the board said victim organizations had only themselves to blame. What did you think when you read the report?
David Shipley: I think there are some pretty gross oversimplifications of the identity and access management challenges facing organizations of all sizes. I am getting a bit frustrated with folks waving fast identity online — or Fido — passwordless solutions as a silver bullet. Because the reality is they’re more like a silver double-edged sword. They can cause significant issues for organizations at scale with lost or stolen tokens. I was much happier with the recommendations to move away where possible from text message or voice-based attacks. I’m a big fan of authenticator apps like Microsoft’s Authenticator, which can do things like number matching schemes, to further reduce the risk from so-called MFA request bombing. These were factors in some of the Lapsus$ attacks, where the push notification-based MFA just got slammed with so many requests that someone out if frustration would just approve the request. [Editor: These are attacks where a victim gets so many repeated texts on their smartphone to approve an unasked authentication requests that they give up and press, ‘OK’. They don’t realize an attacker will intercept the approval.] I also found that this report glosses over the sophistication behind so-called simple tactics like social engineering. Social engineering, while not requiring the technical skills of developing a zero-day [vulnerability], requires a different level of skill and I think this report does it injustice. In fact, I’m increasingly concerned that the reason phishing and social engineering still show up at the top of the annual Verizon data breach reports is that organizations still don’t really get how it works on the emotional or cognitive level and aren’t investing enough in the right kinds of education that can help make their employees more resistant to these attacks.
Howard: For those who don’t know, the Lapsis$ gang was responsible for a number of huge attacks, including stealing 200 gigabytes of corporate data from a Kansas-based surgical and rehabilitation center, stealing 37 GB of Microsoft source code, stealing and publishing source code for two flagship games from a gaming company, and stealing and deleting 50 terabytes of data including a Covid-19 database from the government agency of a country that that isn’t named. For all of its youth, this gang sure knew what they were doing and how to how to exploit people.
David: That’s the point: These kids were not the most technically complex group on on the market. They didn’t require nation-state capabilities to build really cool exploits and other things. But they got real skilled at figuring out how to go at the human component of cybersecurity. They were so successful because we still aren’t dealing with this [cybersecurity] in a significant way.
Howard: What stood out for you as the worst indictment in this report?
David: Actually I found a fascinating line buried in the report: “In particular, some members of Lapsus$ used fraudulent emergency disclosure requests, or EDRs, [to wireless carriers by impersonating a police department] to obtain sensitive information about targets that could be used to develop extortion attacks against targeted individuals, for example by taking over their online accounts to access personal photos.” The use of these fraudulent law enforcement EDRs is a known tactic. The board learned that security researchers are tracking at least 112 domains, including those belonging to international law enforcement agencies, that attackers have used to disseminate fraudulent EDRs. I think it’s really cute that the board is kind of blaming private sector firms for being victims. But if telecommunications providers get what they believe are legitimate police requests because some international law enforcement agencies are hosting malicious content that enables this fraud, well, as we used to say in the army, ‘Pot: This is Kettle.’
Howard: One of the big things of the report is identity and access management, which is why the board urges organizations to quickly stop using voice and SMS text-based multifactor authentication and move to phishing-resistant MFA. That’s not a new recommendation.
David: It absolutely is not. But like many things, it’s easy to say but really, really hard to do — particularly if the systems you rely on don’t offer anything else. I’m looking at you, Canada Revenue Agency, which is Canada’s national tax agency. To its credit, it rolled out SMS and text-based MFA in the last two years, but still doesn’t offer an application-based MFA option [like Google or Microsoft Authenticator]. So if you want MFA [from Canada Revenue], that’s what you’ve got. Also, I think it’s really important that we’re just coming to the tail end of a global pandemic and circling around the drain of a recession. Companies are tightening up on spending. And I can tell you that security doesn’t have the blank cheque they were getting in the early days and height of the pandemic.
Howard: Another significant recommendation by the board is that carriers should implement more stringent authentication methods to prevent SIM swapping. Which is another way of saying support staff should stop being so sympathetic to people trying to swap SIM cards over the phone or online.
David: I completely agree. Like it or not, SMS and voice-based authentication options aren’t going away this decade, so we need the carriers to invest more in security in this area. Personally, I’d like to see in Canada the CRTC [the Canadian Radio-Televison and Telecommunications Commission] or another regulator mandate that people have the option to freeze their [smartphones’] SIM and that the only way a swap can be initiated is if they go to a physical store [of a carrier to get it changed]. Yes, they still exist. And they be required to show one or two pieces of government-issued ID to their current provider and then their SIM can be unlocked and their number ported [to a new smartphone]. Ah, but this, my friends, is the age-old battle between immovable object and unstoppable force — or, as we often say, customer convenience and security. And to be honest, carriers are in a no-win scenario and are living in a world where the cell phone is a digital safety deposit box for online identity and no one planned or designed security for that scenario.
Howard: One of the problems is that with the amount of data thefts going on it’s not too hard for a determined crook who has the resources and the contacts to create a phony ID, which they can then walk up to a carrier’s store and say, ‘Hi, I’m John Widget,’ and present them with a phony driver’s license and a phony birth certificate or a phony health card.
David: If they’re going to go to that limit it’s going to be for someone who’s a high profile target. I can think about that billionaire who had his crypto [currency] nicked by the kid from Hamilton [Ontario] for the tune about $27 million. A super bad idea to still be using this [for account access verification], if particularly there were other options to do it. But I think we’re raising the bar and a lot of these gangs, particularly those that operate transnationally are not going to physically walk into a cell phone shop in downtown Toronto to do this. Maybe they try and bribe some fall guy or fall girl [at a carrier] to do it, but that becomes a really interesting chain and it gives something in real life for cops to dig into. There’s lots of security camera footage and there’s a chain to trace back. We have to raise the cost and sophistication for these kinds of attacks, because right now it’s too fast and too furious and too easy.