Welcome to Cyber Security Today. From Toronto, this is the Week in Review for the week ending Friday March 1st, 2024 I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes Terry Cutler of Cyology Labs will join me to discuss some of the news from the past seven days. But first a look at some recent headline news:
Two major ransomware gangs that were hit by law enforcement agencies seem to have bounced back. That includes the LockBit gang that last week suffered a major blow. Terry and I will talk about how hard it is to knock these gangs out of business.
We’ll also discuss Canada’s new proposed online harms legislation. We’ll talk about why organizations still hang on to unsupported software, a White House call to software developers to use memory-safe programming languages and an Australian data breach caused by the exploitation of a temporary worker’s password.
Also in the news this week a reminder of why Windows patches have to be installed fast. Researchers at Avast said North Korea’s Lazarus Group has been quick to exploit a vulnerability in systems that weren’t quickly patched when Microsoft released Windows updates on February 13th.
Separately, Japan’s Computer Emergency Response Team says Lazarus has plopped four malicious packages on the Python language PyPI repository. Two of the four packages have similar names to a legitimate encryption algorithm that a developer would want to download.
A new Linux-based malware has been found for compromising telecommunications networks. Called GTPDoor by researchers at DoubleAgent.net, it allows traffic captured by the malware to be hidden on a roaming telecom exchange network.
U.S. President Joe Biden issued an Executive Order allowing the Attorney General to prevent the large-scale transfer of Americans’ personal data to designated countries. The order would prevent companies collecting data, including data brokers, from shipping biometric, geolocation, financial and other data to countries with a history of misusing data on Americans.
A California-based law firm called Houser LLP is notifying over 326,000 people that personal information it holds on them was copied by a hacker last May. The law firm, which has offices in 11 states, doesn’t say it was a ransomware attack, but it does say files were encrypted. The law firm also doesn’t say that the crooks were paid, but does say the hackers deleted copies of stolen data. After the attack the law firm improved security including anti-ransomware detection software, multi-factor authentication for its email system.
Finally, Cisco Systems released its semi-annual security updates for firewalls running its FXOS and Nexus switches running the NX-OS operating systems.
(The following is an edited transcript of the first of five topics discussed)
Howard: Topic One: The nine lives of ransomware gangs.
The LockBit gang suffered a broad attack by law enforcement agencies just over a week ago, losing access to a website and over a dozen servers. In addition over 200 cryptocurrency accounts of gang members of affiliates were frozen. The U.K. said the gang’s capability and credibility had been damaged. But LockBit has been able to launch a new dark web site and lists victims. Remember the BlackCat/AlphV gang that was hit in December? This week it admitted it was behind the attack on American pharmaceutical data processing firm Change Healthcare and stole 6TB of data. Hunters International, which emerged last fall, is believed to be a re-brand of the Hive ransomware group, which was dismantled earlier last year.
It’s not easy to kill a ransomware gang. What do you hear about these gangs. Are they fully back in business? Partly?
On the last podcast [Feb. 23rd Week in Review] we thought there was going to be a bit of a break because we thought law enforcement infiltrated LockBit too deeply to regroup. But you see how fast they got back up and running. And they brought that data leak portal to a new onion address, which is part of the Tor Network. That demonstrates how fast the gang could get back up and running regardless of law enforcement actions. We later found out that they suspected law enforcement penetrated their systems based on a weak PHP version [on their servers]. So when they [police] got in there they may have been able to uncover more vulnerabilities and get deeper into a network. Once the gang figured out what went wrong they could beef up their security and be more vigilant.
Howard: What makes it so hard to kill a ransomware gang?
Terry: A bunch of things. The biggest problem is that ransomware gangs often operate in a decentralized manner. Members are spread across around the world. It complicates legal matters because there are jurisdictional issues. Legal systems require a lot of co-operation between countries and law enforcement to be able to arrest or extradite suspects. What even makes it even worse is the ransomware-as-a-service model. Gangs’ developers just build the code, then ‘rent’ it to affiliates. It reduces the risks for the top-level developers. It’s harder [for police] to get to the big guys. The use of cryptocurrency adds more complexity because it’s anonymized. And of course they [gangs] get more sophisticated with technology all the time … And as long as victims are willing to pay these guys will exist for a long time.
Howard: Is refusing to pay ransoms going to kill ransomware gangs?
Terry: That’s a tough question. Here’s why: If your business gets hit with a ransomware attack and your data backups are completely encrypted you have no way of recovering this data. You’re going to face two choices: Pay the ransom or lose your business. So sometimes you just don’t have a choice not to pay. That keeps them funded. It’s going to require a lot of collaboration on the victim’s end [to stop ransomware]. They have to report the breach to law enforcement so they can provide evidence of how they were infiltrated. And companies need also to beef up their incident response plans — make sure you do proper [cybersecurity] audits every year, make sure your insurance plans are up to date, find out who to call first when things go wrong and make sure you educate the employees on what not to click on.
Howard: Ransomware gangs survive by demanding payments through anonymous cryptocurrency networks like Bitcoin. Are there ways of getting into those networks and that will snuff out the monetary gains that gangs can get?
Terry: It’s not easy, and it requires a lot of collaboration between governments, law enforcement and victims. They have to apply dynamic execution to the ransomware binaries. By using machine learning researchers can link specific ransomware families to certain Bitcoin wallets and they can find out where the money’s going. They can also find out where the cash-out wallets are. As law enforcement gets more information about these wallets they may be able to seize some of the servers so when the [ransom] payments arrive they can seize the payments. That’ll help put a dent in cybercrime.
Howard: Then there’s the old question of what will it take to convince organizations to beef up their cyber security to lower the odds of being crippled by cyber attacks, As I mentioned in the news summary, a big American law firm recently sent out a data breach notification to 326,000 victims over what appears to be a ransomware attack. In its notification to victims the law firm says after the attack it added multifactor authentication as an extra step to protect against logins being compromised and it added anti-ransomware software. Why can’t firms learn to do this before they’re hit?
Terry: It all comes down to thinking, ‘This will never happen to me.’ It’s still common. People don’t have the proper [cybersecurity] basics in place. You’d think MFA by now should be standard or mandatory, but a lot of companies we interview haven’t implemented it everywhere. The regular users have it but the executives don’t because they find it too complex, it hinders their work progress, they don’t want to log in three times a day — whatever the excuse is. It’s only once they’ve been a victim, all of a sudden they’re the biggest advocate for cyber security. Companies need to get their cybersecurity basics in place: Get audits done find out where you are today, where you need to be, where you should be There are a lot of tools out there. We do this for customers all the time. Let us show you your attack surface. Let me show you from the point of view of a hacker what they see about you via public sources like Shodan — ‘Look, you have a whole bunch of exposed remote access, you have certificates that have expired, you got end-of-life software. All these entry points that could be leveraged to gain access to your system.’ Why is this not done? There’ll be excuses like, “My IT guys have it covered. We outsource this stuff …’ Why haven’t they done it? It requires a lot of collaboration.
They need to also provide a lot of [cybersecurity] awareness training to end users, and this is a bit of a challenge right now because when you use traditional phishing and awareness training platforms a lot of users don’t care, they don’t think it affects their personal lives. We have to educate them that when companies get hit there’s lots of layoffs. Companies may close their doors. There could be fines. There could be a real financial impact.
(To hear the rest of the discussion play the podcast)