Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, March 22nd, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes Terry Cutler of Montreal’s Cyology Labs will be here to talk about recent news. That includes lessons learned from the ransomware attack on the British Library last year, the latest crooks in court, app developers leaving their Google Firebase instances unprotected, and advice for corporate leaders on managing their expectations of cybersecurity teams.
Before we get to the discussion here’s a quick roundup of other news that happened in the last seven days:
Crooks have been quick to exploit a recently-discovered vulnerability in the on-premise version of JetBrains’ TeamCity continuous integration development server. Trend Micro says servers that haven’t been patched are being hit with ransomware, backdoors and cryptomining malware.
Ivanti is urging administrators using its Standalone Sentry gateway to install a security patch. This is to close a remote code execution vulnerability. It’s rated 9.8 on the Common Vulnerably Scoring System.
A February ransomware attack that hit Change Healthcare, a company that processes healthcare transactions for institutions across the U.S., continues to impact healthcare providers across the company. According to SCMagazine.com, facilities say they can’t pay medical suppliers or employees, and patients have to pay out of their savings for medications. Washington is trying to help. The Health and Human Services Secretary told Congress this week that the department is issuing US$2.5 billion in advance Medicare and Medicaid payments to institutions.
Developers and IT administrators using hardware and applications that run on the Zephyr OS are reminded to update the operating system as soon as possible. This comes after researchers at Synopsys discovered serious vulnerabilities. Fixes were released in January. Word was publicly released this month.
German researchers have discovered a new type of denial of service attack that could affect 300,000 network devices. It takes advantage of vulnerabilities in communications protocols such as DNS, NTP, TFTP and some legacy protocols. Called a loop attack, it can be blunted by applying the latest security patches or mitigations such as firewalls to network equipment from Cisco Systems, Honeywell, Broadcom, Microsoft, MikroTik and more.
Mintlify, which offers a cloud service that helps developers generate code documentation on their computers or in GitHub, says a hacker has accessed 91 access tokens of customers who use the service to analyze GitHub. These were tokens stored in Mintlify databases. Those tokens have been revoked.
As I said earlier, Terry and I will talk about the dangers of misconfiguring Google Firebase. This week researchers at Tenable released a report on how they found a vulnerability in Amazon Web Services that could have been exploited with the help of a misconfiguration to take over a web management panel. AWS has fixed the problem, but it’s also a warning to other cloud providers to put in a guardrail to their domain architecture to prevent similar risks.
Finally, GitHub’s promised code scanning autofix tool is now in public beta. Developers can use the tool to identify many vulnerabilities in Java, JavaScript, Typescript and Python and suggest fixes. While it’s in beta only those with an enterprise GitHub account and use GitHub Advanced Security can access the tool.
(The following is an edited transcript of the first of the four news items Terry Cutler and I discussed. To hear the full conversation play the podcast)
Howard:Â I want to start with a report on lessons learned by the British Library from the ransomware attack by the Rhysida gang last October. For those who don’t know, the British Library is the national library that houses 170 million pieces of the country’s most valuable books, ancient documents, maps, sound recordings and more. It’s open to the public and researchers. Five months later it still hasn’t completely recovered from the attack. But to make sure the public understands what it has been doing for several months — and to help pass on lessons to cybersecurity and IT pros — the Library released an incident analysis.
Much of the server infrastructure was either encrypted or destroyed, with some 600GB of data copied. That was later dumped on the dark web after the Library refused to pay for decryption keys. To recover the Library has to completely overhaul its IT infrastructure, in part because some major software legacy systems aren’t supported any more by their vendors or won’t function under the new secure infrastructure.
What did you learn when you read the report?
Terry Cutler: A couple of things. So every time we come in for an incident response after a company got hacked there’s usually three things that occurred: One, no one [in IT] is watching the alerts. They’re all getting alert fatigue. We see this all the time, even when we’re doing adversarial testing we come in, do a test and nobody sees the [incident] alerts. When they do check in their emails or in their event log manager, they see that the alert was there, but nobody was watching it. Number two, they’re watching the alerts, but they aren’t skilled enough to understand that there’s an incident occurring. Or three, they’re relying on log managers to monitor the threats and these logs are coming in delayed.That usually happens a lot. That’s why we really push for full [ntework] packet capture whenever we’re doing incident response.
The other thing you need to understand is it’s very important to baseline the network [activity]. Is it normal that people are port scanning all the time? How much data is being traversed through things like external backups? You need to understand, have a baseline of what’s going on inside the network. You also need to have proper incident response protocols up to date. We see a lot of cases where there’s a short version of an incident response plan because the company outsources their IT. The plan would say, ‘Call this person.’ But then when you talk that person they have no idea how to prepare for it. They have to call another person.
The other problem too is that a lot of times they [IT] have too many tools that are trying to piece together what just happened. They’re using one vendor for one software, one vendor for servers, another vendor for EDR on the endpoints, another vendor for network monitoring. These tools aren’t necessarily made to work together. So they need to have proper technology in place that can look at all this holistically.
In a lot of cases when we do either a penetration test or adversarial test to see if the third party is actually monitoring their network, the organization isn’t being told port scanning is occurring, reconnaissance is occurring.
Howard: As you said earlier, the best evidence is that the hackers got in through a Terminal Services server that was set up to allow IT contractors to access the library network for maintenance. Those people didn’t have to log in with multifactor authentication. The interesting thing is permanent staff needed multifactor authentication to log into their email. However, the IT contractors didn’t have to use MFA. The library knew that was risky, but they thought other [login] mitigations would suffice. Apparently, they didn’t. So a lesson here, it seems to me, is multifactor authentication for everyone just can’t be put off.
Terry: It needs to be on for everybody. It doesn’t matter if you’re the janitor or the CEO. Everybody needs to have it on. And you want to have like a layered approach, right? So even though if your MFA fails, there should be other technologies in place that will help detect the problem. Just before jumping on this call I ran a dark web scan against the library’s domain and found over a thousand [British Library] leaked passwords [up for sale]. That means that the cyber criminals could log into these accounts without even getting additional security prompting for them [unless MFA was enabled] …So MFA really is important. And if you’re not sure if your organization has it on or off or who’s missing it, get an audit done. Find out who has a password set to never expire, who has never logged in before, because that happens all the time where a contractor or an employee gets hired, but then maybe quits almost immediately and the account never gets shut down. So a [password] audit is required here.
Howard: The timeline of the response of this attack is really interesting. At 7:35 in the morning, there was a realization that there was something wrong. Two hours later, the crisis management plan was evoked and that led to the library’s Gold Crisis Response Team being notified. By 10 o ‘clock, a WhatsApp video call was arranged with senior people. They were using WhatsApp because they couldn’t rely on email [after a successful breach of security controls]. This is a lesson on how a well-prepared organization planned [to respond to] a cyber attack, which is a lesson a lot of companies should learn. But what do you do if you’re a small company? You’re not going to set up a gold crisis team. You’re going to have fewer resources. So how does a small organization have an incident response plan and prepare to set up people to respond to an attack?
Terry: They had such a really great incident response plan set up — but yet they didn’t put on 2FA for everybody. That’s one of the basics. It’s step one. [But] you’re on step eight and you didn’t do step one. So listen up, small business owners: You’ve got to have even a simple incident response plan with the basics, like if an incident is detected who’s in charge of the recovery process? Who’s in charge of PR? And you also have to be doing [daily] the cybersecurity basics. Do you have proper patch management? Are you doing proper backups? Are you doing your assessments? Is IT properly equipped to rebuild the network in case there’s an incident?
Here’s a perfect example. I had a meeting recently with a customer who has pretty much a one-man IT operation inside the organization. When we asked them for his incident management plans, he says, ‘I just call this guy.’ To confirm, we called that other person, who’s the outsourced IT department, and they’re completely unprepared …
Howard: I noticed the report said that “previously approved investment updates are now being implemented.” That’s like closing the barn door after the horses escaped. You know, to me, the lesson is don’t put off getting rid of legacy equipment. Do it fast, do it now.
Terry: It’s the ‘It’ll never happen to us’ approach. So you need to really perform regular [security] assessments and [security] updates all the time … A lot of folks are still carrying Windows XP and they can’t get rid of it because it’s required to handle the door security, for example. So if they wanna upgrade that system, which has an embedded Windows XP, they have to change the whole security infrastructure. Sometimes they just don’t have the budget to do this. So they’re stuck with it. That’s why it’s very, very important that you start segmenting your network and baselining what you have. During an audit, you’ll be able to see what machines are aging, for example. So if you see machines that are seven years old you should already have a plan in place to replace or upgrade it. Because with software sometimes the vendors no longer exist and you’re stuck with it.
Howard: Another lesson I took from the report was that a lack of network segmentation is going to lead to more damage than necessary from a cyber attack.
Terry: I had that exact conversation with a person this week. Their entire network was flat. Everything was on one subnet. No, you need to segment this off because you need to contain the environment if something happens. So if an attacker breaks in, he’s not going to have access to the whole lot. You want to make sure that he’ll be limited by segment. So this way the damage is contained.
People say, ‘I got this brand new firewall.’ But hackers aren’t wasting time trying to hack your firewall. Why would they when all they have to do send an email to one of your employees [and if they fall for a scam] they [the attacker] becomes an insider.