Welcome to Cyber Security Today. This is the Week in Review for the week ending June 2nd, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes Terry Cutler of Montreal’s Cyology Labs will be here to comment on some of the latest news. But first a look at headlines from the past seven days:
A report into the 2021 ransomware attack against the Newfoundland and Labrador healthcare system exposed a number of major cybersecurity faults that contributed to the theft of data. Terry and I will have a few words to say about that report.
We’ll also talk about a New York state report into a data breach of a medical billing software provider that started with an unpatched firewall. We’ll look at an interim report on a ransomware attack on an Australian financial services firm. And we’ll analyze the jailing in the U.S. of two Nigerians who were part of a major cybercriminal group.
Also in the news, a group calling itself Anonymous Sudan that has been harassing Scandinavia’s SAS Airlines increased their extortion demand to US$3 million to stop their denial of service attacks. The attacks have been going on since May 24th.
Another huge unprotected database on the internet has been discovered. This one had 360 million records with personal information. It appeared to be from one of two VPN apps and therefore might be a list of subscribers. A security researcher emailed both those apps and after that access to the database was blocked. One might deduce that an employee wasn’t careful with security controls on the file. One hopes that a crook wasn’t as skillful as the security researcher in finding the database.
IBM released a detailed analysis of the latest version of the BlackCat ransomware strain. It focuses on stealth, speed and exfiltration of data.
Toyota has acknowledged more customer information in Japan as well as in other countries was possibly exposed over seven years due to a cloud misconfiguration. Victims were subscribers to Toyota’s G-Book and G-Link navigation services. This notification comes just weeks after the company admitted data of more than 2 million vehicles in Japan was exposed over more than a decade.
Jetpack, a WordPress security plugin, released a critical security update. WordPress administrators who use this plugin should update it as soon as possible.
IT administrators with computers and motherboards from Gigabyte are being warned to update the devices’ firmware to the latest validated version. This comes after the discovery that firmware in some systems are dropping a backdoor, possibly indicating the manufacturer’s firmware was compromised.
And Amazon’s Ring home video security division will have to pay US$5.8 million to some customers after the U.S. Federal Trade Commission found security and privacy failures. They included employees watching customers in their homes and hackers being able to break into Ring systems to see videos and threaten residents. The proposed settlement also says Ring has to implement a comprehensive privacy and security program that strictly limits the ability of staff to view customers’ videos.
(The following is an edited transcript of one of the four topics we discussed. To hear the full conversation play the podcast)
Howard: News item one: Newfoundland and Labrador’s privacy commissioner slams the provincial government for the way it handled a ransomware attack on the healthcare system in 2021. In the attack the personal information of at least 100,000 residents and healthcare system employees was stolen.
I’m not sure where to start in this tragi-comedy. First, it took 18 months before the government admitted it was a ransomware attack. When it finally did the government said it was advised by legal authorities and police to say nothing. The privacy commissioner said the delay was unjustified. Second, it started when somehow a hacker got hold of an employee’s login credentials to a VPN. Third, the attacker was able to move through the IT system undetected for two weeks before the ransomware was launched. They were even able to escalate their access privileges. Fourth, the provincial Centre for Health Information, the body that oversaw the IT system, didn’t put a priority on cybersecurity despite a consultant’s report identifying a number of weaknesses. Fifth, there were some IT alerts of suspicious activity, but they weren’t properly investigated. Sixth, among the stolen data were Social Insurance numbers collected when some patients registered for care. Why? Because there was a space in the online admission form when they checked in. The healthcare administration didn’t need to collect Social Insurance numbers. The software company that created the admissions application just put it in there, and no one told admissions clerks it didn’t need to be filled in. Terry, is this a worst-case scenario?
Terry Cutler: Let me just open the hood a little bit to show you what really happens behind the scenes when this goes on. Health care right now is taking a beating There’s a lot of staff that come in [to an institution]. They’re all gungho to make a big change in its environment. You know, dealing with 18,000 computers. Then they realize how much bureaucratic red tape there is and they can never get anything done. If they want deploy a patch it could take a month, two months to do because there’s always some reason why they can’t do it. And there’s a good chance that an IT consultant that found vulnerabilities is no longer there either. So when an incident occurs they have to co-ordinate different [IT] teams to find out what happened. Then they realize that there’s no EDR [endpoint detection and response] in place. They have way too many tools deployed so they don’t know where to look. So if somebody’s handling an incident on a desktop they have to they have to involve the network team and maybe they have to deploy the server team. And these groups don’t necessarily talk together. Then they realize when they’re trying to piecemeal this all together that they’re missing a lot of log information. Or the event logs were never collected then now they’re in trouble now and they’ve got to find an [external] incident response team. Then they find out how much it costs to engage these team. Now they got get budget approval. Two or three weeks has gone by since this occurred then before they an IR team. Then the team has to start collecting evidence. And the biggest challenge is to preserve the evidence of what happens so they can figure out what’s going on.
Howard: I’m not sure which part of of this story is the worst. I’ll start with what some might call a ransomware cover-up. A lot of organizations are afraid to use the ‘R’ word. They use ‘cyber incident’ instead. Is that justified?
Terry: They’re trying to water it down. The biggest challenge to why it takes this long to do investigations is because we have to preserve the evidence and have the artifacts on machines so we know who accessed them, when they access them, what did they take, were there USB keys plugged in? It’s the copying of the evidence that takes the longest time. We’ve had situations where a server was down and the IT department will say, ‘I’ll get this thing back up in 20 minutes.’ But they have to take forensic copies of these machines. We’ve seen them go as long as 18 hours to copy this stuff. Now your system’s down for 18 hours and nobody can use it. You can’t just go and start reformating these machines and getting them back up and running because that destroys the evidence needed for a report to the insurer and for the public to know. So then they [the organization] has to build a presentation to present the findings. You asked how it was kept quiet for all those months? It’s because that could lead to lawsuits if misinformation is presented. They really need to know what went on, how it got in, what did they take and maybe even track back who took it. That’s why when law enforcement gets involved it’s ‘Don’t tip off anybody. Let’s just find out what’s going on.’
Howard: The privacy commissioner certainly said it was an unjustified delay [in telling the public that the attack was ransomware].
Terry: Here’s a perfect example when we did an incident response on a healthcare institution: We collected a bunch of machines and we’re looking through so much data –over 21,000 auto start entries on some of these machines. These are applications that would start up, they would talk to various machines within the organization. It’s talking to like over 3,000 machines of which only 18 are external IPs. Then we find out there’s a hidden TOR network in the environment that’s been copying out data. These investigations take a long time, and a lot of times they don’t have proper [IT] staff in place to help out.
Howard: Regardless of whether an attack is ransomware, they all start somewhere. And in this case, an attacker got hold of an employee’s login credentials. This. Just like many other cyber attacks probably could have been stopped with multifactor authentication.
Terry: Totally agree. And of course the employee would have been prompted to enter his [MFA] code for no reason [when the attacker tried to log in]. So with proper awareness training he might have known that it was time to change his password [because the request for a code would be a tip-off someone else had their password].
Howard: Another thing that bugged me was the unnecessary capture of Social Insurance numbers. For our American listeners, these are like Social Security numbers. These are great for crooks who want to create phony identities.
Terry: This is the perfect example of teams that don’t necessarily work together or do not understand the risks associated with using this type of data without proper training. It comes down to we wouldn’t let someone drive a car without a [driver’s] course. So why do we do it when it comes to cyber security? Staff need to understand what they’re doing with data and how at risk it could be if they don’t handle it properly.