There’s usually a word or phrase that sums up my annual Cybersecurity Year in Review.
“Lack of resilience” was 2022’s theme, highlighting the Canada-wide outage at Rogers Communications. “A crazy mess” was 2021’s theme, because of the SolarWinds Orion and other supply chain hacks.
This year, successful ransomware attacks hit a record level. But for me, that only made it the number two story of 2023.
What topped that were the seemingly never-ending admissions by thousands of organizations that their MOVEit file transfer servers had been plucked by the Clop ransomware/extortion gang. It discovered a single vulnerability that opened the doors to data exploitation on a huge scale.
Technically, CVE-2023-34362 is a SQL injection to remote code execution flaw allowing an unauthenticated user to upload a web shell and gain remote access to the database of the applications.
According to stats compiled by Emsisoft, by Dec. 20, this one vulnerability spawned 2,691 hacks and the theft of data on over 91 million people around the world.
Which is why I’ve declared 2023 the Year of A Zero Day Nightmare.
Before we get to the nitty gritty of the MOVEit saga, remember infosec pros should have known that file transfer servers stocked with data have been alluring targets for threat actors for years. In 2021, vulnerabilities in the Accellion FTA application were used to hack servers. At the beginning of the year, customers using Fortra’s GoAnwhere MFT servers were hacked.
In fact the Clop/Cl0p gang went after all three file transfer suites. Do you see a pattern here …?
Add this: According to researchers at Kroll LLC, Clop members were likely experimenting with ways to exploit the MOVEit vulnerability as far back as 2021, before they figured out how to exploit GoAnywhere MFT. For some reason — probably realizing the pickings were much bigger with MOVEit — the gang decided to first go after GoAnywhere servers.
Progress Software’s MOVEit is an on-premises or cloud application that compresses, encrypts and transfers large files. Customers often use it to send files to third parties like payroll processors. In fact, many organizations had their customer or employee data stolen not directly from their servers, but from third-party processors. For example, the compromise of MOVEit at National Student Clearinghouse, a nonprofit that provides reporting and verification services to American post-secondary institutions, affected nearly 900 schools and 51,000 people. Colorado State University was one of those institutions. In fact CSU was victimized six times through different providers.
Of the stolen data on 91 million people, the biggest chunk, 11.3 million, came from Maximus Inc., which administers many U.S. federal, state, and municipal programs. The second biggest (8.9 million) came from Welltok Inc., a provider of support services to a number of U.S. health plans like Blue Cross. The third biggest (6.9 million) was from Delta Dental, a provider of dental insurance plans. The eighth biggest (3.4 million) was theft from BORN Ontario, a Canadian non-profit registry of mothers, newborns, and children, with data going back to 2010.
According to KonBriefing Research, the vast majority of victim organizations (2,290) were in the U.S.. Canada was second (152).
Interestingly, Clop’s strategy was to forgo the complexity of deploying ransomware. The gang just stole data and tried to extort victim firms. It isn’t known how many capitulated.
IT departments were seemingly defenceless. Or oblivious to suspicious activity (see this Kroll report).
“The MOVEit product is often used to exchange information with other companies, which makes it difficult to protect the server from the internet,” Johannes Ullrich, head of research at the SANS Institute, told IT World Canada. “For a zero-day, it is also difficult to develop any kind of web application firewall rules or other rules to protect the server. Log monitoring may have shown some of the exploit activity, but not knowing what to look for makes it difficult to identify the activity.
“So in short, this was a hard vulnerability to avoid. Some victims may have been slow to apply the patch (and maybe sloppy looking for exploitation after the vulnerability became known).”
Traditionally at this point, after naming the top story of the year, this piece lists notable hacks from the previous 12 months. If there’s enough information released by the victim firms, there are lessons CISOs can learn from some of these incidents — rank your IT assets and prioritize patching, change default passwords on network devices like routers, force employees to use app-based multifactor authentication or security keys for logins, have a practiced incident response plan, have a practiced data recovery plan. These lessons can be neatly summed up as “Obey Cybersecurity 101.”
But before briefly recounting those incidents to CISOs and CEOs, I draw attention to two investigations into attacks this year: One was by the U.S. Cyber Safety Review Board into the reasons behind and lessons learned from the successful hacks of the Lapsus$ gang. (Two members of the gang were just sentenced by a U.K. judge)
The board is a wing of the U.S. Cybersecurity and Infrastructure Security Agency. Composed of public and private experts who talk behind closed doors with victim firms, its mandate is to look into and report on the causes of significant cyber incidents.
Here are a few quotes from the Lapsus$ report: “If richly resourced cybersecurity programs were so easily breached by a loosely organized threat actor group, which included several juveniles, how can organizations expect their programs to perform against well-resourced cybercrime syndicates and nation-state actors?”
“The board found that the multi-factor authentication (MFA) implementations used broadly in the digital ecosystem today are not sufficient for most organizations or consumers. In particular, the board saw a collective failure to sufficiently account for and mitigate the risks associated with using Short Message Service (SMS) and voice calls for MFA.” Its advice: Make employees use an authenticator app or a security key. The report is also critical of wireless carriers for too easily allowing crooks to get away with SIM card swaps.
Another report that made interesting reading was the unclassified version of an investigation by the Inspector General of the U.S. Air Force into a low-level Airman’s access to restricted information he allegedly leaked to a political discussion group. It’s is a lesson about an insider threat and the importance of determining the need to know.
Now here’s that recap of some of the year’s other interesting news:
As I said earlier, the number two news story of the year was the continued soaring number of ransomware attacks. By the count of NCC Group, the number was over 4,000, twice as many as last year. Sometimes it was hard for reporters to keep track, as companies or municipalities announced they had suffered a “cybersecurity incident.” Others said they had suffered an “encryption event,” thus avoiding the “r” word.
Among the Canadian victims: Ontario’s Liquor Control Board, bookstore chain Indigo, a service provider to five Ontario hospitals and the Toronto Public Library. According to The Globe and Mail, the library still can’t check out or return books via its computer system.
Others hit by ransomware around the world included supersports car manufacturer Ferrari and MGM Resorts in Las Vegas.
A California law enforcement agency paid just over US$1 million to a ransomware gang after it was hit early last month. The Los Angeles Times reported that the San Bernardino County Sheriff’s Department and its insurance carrier split the cost so the department could get access to its data. The department had to shut down its email, in-car computers and a system deputies use for background checks.
Some gangs took pity after hitting victims that might arouse public anger, like hospitals. For example, at the beginning of the year, the LockBit ransomware crew gave Toronto’s Hospital for Sick Children a decrypter key so it could restore scrambled data.
However, others found new strategies for squeezing victims for money. The AlphV/BlackCat gang created a website that mimicked an unnamed financial company it hit that refused to pay. The message on the site: This company was hacked and here’s all of its data.
According to threat researcher Brett Callow of Emsisoft, the Medusa gang created a 51-minute video of screenshots of data allegedly copied from the Minneapolis Public School system to show the world it really had stolen data.
In September, I moderated a panel on ransomware at the annual SIBOS conference of the Swift IT messaging financial network, where one panelist declared ransomware is a crisis.
Law enforcement agencies did score some successes against ransomware and other cyber crooks. At least some of the AlphV/BlackCat gang’s infrastructure was taken down. (The gang says in retaliation it will show no mercy to critical infrastructure.) The FBI took down the Hive ransomware gang. It also arrested the alleged head of Breached Forums. The alleged perps behind DoppelPaymer ransomware gang were arrested. The RCMP and the FBI took down the Genesis criminal market. Police in Europe took down a gang specializing in business email compromise scams. The Five Eyes intelligence co-operative worked to take down the Snake malware network. And the suspected developer of the Ragnar Locker gang was nabbed in Paris.
BlackBerry CEO John Chen left the Canadian company after a decade at the helm. His effort to shift what was once the leading mobile device manufacturer into a leading cybersecurity company failed.
Considering the challenges Chen faced when he arrived — the rise of Apple’s iPhone and the failure of the BB10 operating system to catch on, “he really has done a good job,” said Brian Jackson, a research director at InfoTech Research. But while Chen bought endpoint provider Cylance in 2019 to add to its mobile device management platform, Jackson said enterprises saw the company as a point solution. On the enterprise side, partnerships were needed, Jackson said. A promising 2018 deal with Amazon, Jackson added, “never got off the ground.” By contrast, he added, Chen forged many partnerships to sell its IoT portfolio, particularly to car manufacturers.
Huge victims of hacks included two American communications providers. T-Mobile had to notify 37 million customers of a data theft. Comcast Communications notified over 35 million of its subscribers of a data breach. On Oct. 10, it was notified that Citrix Netscaler Application Delivery Controllers needed to be patched, followed by more details on Oct. 23. Comcast acted. But not fast enough.
A Canadian supermarket chain said the total impact of the cyber attack it suffered could be over $54 million.Â
Canadian Prime Minister Justin Trudeau confirmed that a Canadian pipeline was impacted in some way by a Russian hacktivist. No details were forthcoming. Separately, Canadian energy producer Suncor reported a cyber attack. Microsoft reported a Chinese group going after American critical infrastructure. Microsoft also reported a China-based threat actor was able to access the cloud-based Microsoft email accounts of approximately 25 organizations — including government agencies, as well as related consumer accounts of individuals likely associated with these organizations — by forging authentication tokens.
In one of the most creative attacks of the year, an unnamed criminal group tried to extort the respected Dragos industrial control cybersecurity company. It compromised the personal email address of a new sales employee before they started work at Dragos. That allowed the crooks to impersonate the new employee and get enrolled with the company online. After failing to elevate access privileges, the gang tried to extort Dragos by threatening to reveal their successful penetration. When that failed, they sent messages to family members of Dragos executives. One big lesson from this incident: Additional identity verification is needed for online onboarding of new staff.
Another imaginative attack: A Russian group spotted a Polish diplomat’s ad to sell a used BMW and turned it into an opportunity to spread malware by cloning the ad and, to get clicks, claiming the price had gone down.
Dressing someone in a uniform — in this case FedEX — will still fool employees, and allow a hacker to slip a USB key into a computer.Â
Canadian privacy commissioners made several important rulings. Home Depot Canada was criticized for not getting customers’ consent before sharing details of customers’ e-receipts. But the federal privacy commissioner’s attempt to have Facebook take responsibility for the Canadian part of the Cambridge Analytica scandal under Canadian privacy law was rejected by a judge. That ruling is being appealed.
Looking ahead, in 2024, watch for reports from the U.S. Securities and Exchange Commission into allegations that SolarWinds misled investors about its cybersecurity risks and vulnerabilities relating to the compromise of its Orion software update mechanism in 2020; Canada’s privacy commissioner’s investigation into the data theft of federal employees from relocation companies; and Nova Scotia’s privacy commissioner’s investigation into that province’s MOVEit hack.
Finally, those reading this story should be cheered that, at least according to one expert, an infosec pro has a job for life.