Categories
Security

Don’t drink the water — it’s been hacked

That’s a scary title, isn’t it? It could have been the headline in newspapers this week had it not been for the watchful eye of a water treatment plant operator in Oldsmar, Florida.

Last week, a hacker (or group of hackers) attempted to poison a Florida city’s water supply by accessing a dormant remote access software platform. If it hadn’t been caught in time, at least 15,000 people could have been affected.

Law enforcement, including the FBI, the Secret Service, and the Pinellas County Sheriff’s Office are currently investigating how the threat actor got in and who would want to do this. What we know so far is that a plant operator at the Oldsmar water treatment facility noticed someone remotely accessing the computer system he was monitoring — once at about 8:00am and again at 1:30pm — to open the function that controls the amount of sodium hydroxide (lye) in the water.

Lye is used to treat acidity in water by raising its pH levels and removing heavy metals. Too much lye in the water could cause skin burns and rashes — and the hacker changed the lye ration from about 100 parts per million to 11,100 parts per million. This is obviously a significant and potentially dangerous increase. After the attacker left the system, the operator quickly reduced the lye concentration level back to normal, so there was no adverse effect on the water. Importantly, the water treatment plant had redundancies in place, so if the operator had missed the hacker’s intrusion, the system would have caught the change in time.

So, what was this? A test by nation-state actors? An attempt to severely harm the townspeople of Oldsmar? As of this writing, there are no indications that this was targeted attack. The Pinellas County Sheriff’s office doesn’t have a suspect but is following leads — none of which point to terrorism. It may simply have been an act of vandalism. Vulnerable Internet-connected Industrial Control Systems (ICS) are not difficult to find.

In the case of the Oldsmar water treatment facility, the attack was neither successful nor sophisticated. A remote access software tool was either exposed to the open Internet or accessed via brute force/password. (Although law enforcement say they don’t know how hackers got onto the system, a CNN source counters that a password was required to operate the software remotely.) Unfortunately, a sophisticated attack isn’t required to render a dangerous result, and what happened at Oldsmar simply highlights how many critical infrastructure systems are vulnerable.

IT and security professionals charged with securing vital infrastructure needn’t panic — the first priority here isn’t shielding against complex zero-days or advanced persistent threats. Instead, it’s the kind of grunt work facing all in cybersecurity today, such as patching, air-gapping, and enforcing two-factor authentication. My advice for anyone in infrastructure or others using remote access software:

  • Be careful with how much remote access software you deploy on your network. You should never leave this software unused for long periods, especially if it’s left open to the Internet.
  • Ensure that the remote access software you do have is configured properly. Open it only to staff that require remote access, and require they access it using a strong password and 2FA.
  • Remote Desktop Protocol (RDP) should be kept closed or used with protection, such as our Brute Force Protection module in Malwarebytes Nebula.

To learn more about the hack of the Florida city water facility, read our blog on Malwarebytes Labs:
https://blog.malwarebytes.com/hacking-2/2021/02/hackers-try-to-poison-florida-citys-drinking-water/

Categories
Security

Emotet bites the dust… or does it?

If I never hear the name “Emotet” again, I’d be a pretty happy guy. But it’s worth bringing up this bad boy one more time to announce its demise — or at least the beginning of its end.

On January 27, Europol announced that law enforcement agencies from eight countries seized control of the Emotet botnet in a coordinated effort, putting a stop to more than six years of torment from one of the world’s most dangerous forms of malware.

Although the culprit has been metaphorically locked up, the final blow won’t be delivered until April 25, when an update pushed out to all infected servers will wipe them clean of Emotet once and for all. How did law enforcement finally shut down this banking-Trojan-turned-beast? Why are they waiting until April to wipe it out? What are the ethical pitfalls of pushing code — even “good” code — onto these infected networks?

Law enforcement bests Emotet in TKO

The notorious Emotet botnet, which first appeared as a banking Trojan in 2014, is known for its consistent ability to shapeshift, which allowed it to avoid detection and drop other vicious malware in its wake. Over the more recent years, it wreaked havoc on organizations with other partners, including the equally dangerous TrickBot and Ryuk ransomware.

On January 27, Emotet met its match when agencies from the United States, United Kingdom, Germany, the Netherlands, and more gained control of its infrastructure and took it down from the inside. In a statement announcing the action, Europol described Emotet’s infrastructure as involving several hundred servers across the world, all of which had different functionalities: to manage computers of the infected victims, to spread to new ones, to serve other criminal groups, and to make the network more resilient against takedown attempts.

The global effort to bring down Emotet’s complex web of servers and controllers, dubbed Operation Ladybird, should not be underestimated. Law enforcement coordinated with security researchers from the private sector to take over Emotet’s C&C infrastructure — located in more than 90 countries — while simultaneously arresting at least two of the cybercriminal crew members behind it.

“Unlike the recent and short-lived attempt to take down TrickBot, authorities have made actual arrests in Ukraine and have also identified several other individuals that were customers of the Emotet botnet,” said Jérôme Segura, Director of Threat Intelligence for Malwarebytes. “This is a very impactful action that likely will result in the prolonged success of this global takedown.”

In its press release, Europol described the approach to Emotet’s take-down as “unique and new.” While details of how Operation Ladybird were able to disrupt the Emotet botnet are still emerging, we do know that infected machines have been redirected toward the law enforcement-controlled infrastructure. This effectively removes the threat posed by Emotet by preventing it from contacting the infrastructure it uses to receive updates and deliver malware.

Shortly after the Emotet infrastructure was seized, Dutch authorities deployed an update: a special cleanup payload with code to remove the malware from infected computers on April 25. Why so far away? The lengthy delay gives system administrators time for forensic analysis and to check for other infections that Emotet may have left behind. After Emotet uninstalls itself on April 25, these investigations will be harder to carry out.

But pushing code via botnet, even with the best of intentions, has always been a thorny topic. In this case, law enforcement took control of one of the most significant botnets of the decade — but instead of dismantling it, they pushed an update that will likely impact many thousands of organizations and endpoints — without consent. The end result is positive, of course. But what about the ramifications? The DOJ actually distanced itself from the update, stating in its affidavit that “foreign law enforcement agents, not FBI agents, replaced the Emotet malware, which is stored on a server located overseas, with the file created by law enforcement.”

What are your thoughts about the downfall of Emotet? Do you think this is the last we’ll hear of it? Do you believe it was a good idea to deploy the Emotet update, even without consent?

To read the Department of Justice’s official release on the operation that took down Emotet: https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation

Categories
Security

Greatest cybersecurity hits of 2020

It’s been an unprecedented year for cybersecurity. The pandemic has forced organizations to evolve at breakneck speeds, strong-arming a distributed, remote work model for millions of employees at once — and in the process, leaving corporate networks more vulnerable. Distance learning has brought IT and security issues into every student’s and teacher’s living rooms. The increase in online shopping has lured cybercriminals to take advantage via digital skimming. As we close out this most difficult year, it might appear that the cybercriminals have the upper hand.

Yet as I look back on the scams, phishing campaigns, new malware strains, and sophisticated attacks, I also see teams of IT and security professionals adapting swiftly to wave after wave of obstacles. I see Herculean efforts to keep companies up and running and students learning. I see researchers, analysts, system admins, technicians, directors, and CISOs working together to solve complicated problems. And that makes me hopeful as we head into 2021 and face new challenges. So, let’s take a look back at some of the major cyber events of 2020 and keep their lessons fresh in our minds as we tackle the new year with fortitude, resilience, and renewed optimism.

We may have kicked off this year with 20/20 vision, but none of us had the foresight to predict what was to come. Not long after the beginning of the year, the coronavirus hit in the United States and its first impacts to cybersecurity were cancellations of major conferences. However, as cases rapidly increased through March, it became clear that we had to hunker down and stay in our homes. This, of course, brought on a massive shift to remote work.

For resources on the impact of working from home on security:

As more and more states issued social distancing, masking, and shelter-in-place orders, cybercriminals (ever the opportunists) capitalized on the rising fear with COVID-19 misinformation campaigns, phishing emails that dropped Emotet payloads, and even APT attacks using the coronavirus as a lure. Here are a few stories featuring the ways in which threat actors leveraged public fear and confusion about the virus to their advantage:

Meanwhile, cyberattacks on organizations, a carry-over trend from 2019, picked up pace on SMBs through large enterprise. The malware of choice? Ransomware. Ransomware variants became stealthier and harder to remove as the threat actors behind them became bolder, double-dipping on extortion and raising ransom prices through the roof. Here are just a few of the notable ransomware attacks of 2020:

Attacks on ecommerce platforms, schools/distance learners, and of course the latest discovery of the alleged Russian hack of federal government agencies and IT/security companies round out an astonishing year in cybersecurity. In comparison, the entire previous decade seems pretty tame!

For other takes on the year in cybersecurity, take a look at the following: https://www.techradar.com/news/2020-could-be-the-worst-year-in-cybersecurity-history

https://www.govtech.com/blogs/lohrmann-on-cybersecurity/2020-the-year-the-covid-19-crisis-brought-a-cyber-pandemic.html

And for a look ahead at 2021, Security Magazine has five predictions: https://www.securitymagazine.com/articles/94223-cybersecurity-predictions-for-2021

Categories
Security

The cyberattack that could only happen in 2020

I’m sure you already heard the news. Last week, we learned that (likely) Russian nation-state hackers conducted a massive APT attack that impacted thousands of companies and government agencies through tainted updates of the SolarWinds Orion platform. This sophisticated supply-chain attack ensnared over 200 public and private organizations dating back to March.

We are relativity early in the process of deconstructing this stealthy attack — more details will emerge over time, including what the Russian APT group was really after, though we do know they monitored communications of hacked organizations for months. The US Cybersecurity and Infrastructure Security Agency (CISA) called the attack a “grave risk” to national security, while others described it as devastating to the economy, infrastructure, and public trust on a level not seen since ShadowBrokers.

Attacks like these are scary as hell, but they’re not going away. That’s why it’s important to share what we know, so there doesn’t have to be a “next time.”

Massive Russian hack leaves private and public sector reeling

If you were in a minor state of shock after learning about the presumed Russian hack, you weren’t alone. As if our supply chain, infrastructure, and business security weren’t already taxed enough by the pandemic, IT teams running SolarWinds software must now contend with complex mitigation efforts to root out backdoors slipped into Orion platform updates earlier this year. The boobytrapped updates pushed the Sunburst malware onto victim networks, which then gathered recon for 12 to 14 days before sending data to a remote C&C server. If the intelligence proved fruitful, Russian threat actors then escalated their attacks on select networks.

It’s important to note that of the 18,000+ organizations that received malicious updates through Orion, only 200 were targeted for follow-on action. Therefore, many businesses may be sitting on a “dormant” version of the Sunburst malware and not yet know it. CISA advises: “Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans.” However, there are a few proactive steps you can take:

  • Immediately isolate any systems running the Orion platform versions 2019.4 HF 5 through 2020.2.1, released between March and June 2020
  • Scan your premises using an endpoint protection product like Malwarebytes and look for detections, such as Backdoor.Sunburst and Backdoor.WebShell
  • Use the Indicators of Compromise at the end of this Malwarebytes Labs blog to hunt within your logs, telemetry, and other SIEM data to learn the perspective timeline of intrusion
  • Perform a comprehensive security sweep to review and harden your physical and cloud infrastructure
  • Upgrade to Orion platform version 2020.2.1 HF 2 and restore systems once you feel confident with the previous steps

For more technical information on the cyberattack from CISA: https://us-cert.cisa.gov/ncas/alerts/aa20-352a

Categories
Security

Most US schools fail to secure distance learners

Education in the United States faced a crisis this year. The looming threat of the coronavirus — which spreads easily in enclosed classrooms — forced schools across the country to develop new strategies for education, most involving some form of distance learning.

The dramatic stress of this transition on teachers, parents, and students is well-known. But the impact of long-term distance learning on the cybersecurity posture of schools and districts has not yet been studied — until now. Researchers at Malwarebytes surveyed IT decision-makers and students from K–12 and trade schools, as well as colleges, throughout the US to compile a report on how education security has fared in the wake of the pandemic.

The results paint a rather grim portrait; the education sector, having always struggled with lack of IT budget and personnel, was ill-equipped to move millions of students to a distance learning model. And despite Herculean efforts by IT teams to connect every student and teacher, cybersecurity often slipped through the cracks.

US distance learners remain vulnerable to cyberattack

US schools have been under tremendous pressure over the last 10 months. Forced to close their doors with little warning, teachers, administrators, and IT teams spent the first few months of the pandemic simply figuring out logistics, such as how to get students access to school resources, devices, and Internet service. Unlike most workplaces, schools have been slower to adopt new technologies, and they were not set up for an easy transition to a distance learning model.

Yet even now, halfway through the schoolyear, educational institutions are struggling with cybersecurity for distance learners. Nearly half of all schools did not change their cybersecurity protocols in response to the new distance learning model, which resulted in a number of issues that dramatically increased IT workload and put undue strain on teachers. Some schools even suffered cyberattacks that delayed their distance learning lesson plans for up to a week. Other key takeaways from the report include:

  • 51 percent of IT decision-makers said that no students, teachers, staff, or guests (including parents) were required to enroll in cybersecurity training before the new school year began
  • 47 percent said their schools developed no additional requirements — no distance learning read-throughs, no antivirus tool installations — for the students, faculty, or staff who connected to the school’s network
  • 46 percent of students said their schools suffered a cyberattack (though only 3 percent of IT professionals admitted to the same); On the flip side, of those who engaged in security best practices before the transition to distance learning, none experienced a breach or had to cancel a single day of learning due to a cyberattack

Clearly, security awareness makes a difference in the overall safety of an organization. In fact, of those who were well-studied in cybersecurity, fewer suffered sustained, excess IT workload or experienced Zoombombing attacks than those who were less prepared. However, knowledge is only half the battle. Many respondents were saddled with device and data shortages. Other schools fell flat on security budget. Additional IT challenges presented by distance learning include the following:

  • 40 percent of educational IT pros said their schools are still missing laptops, computers, or tablets for students
  • 28 percent are still missing these devices for teachers
  • 20 percent of IT decision-makers said they had trouble convincing their schools to invest in cybersecurity
  • 44 percent admitted to difficulties in managing the sudden increase of devices connected to the school network
  • 80 percent said there was a steep learning curve for teachers, students, and staff to adapt to online learning tools

But the report wasn’t all doom and gloom. IT professionals had a gargantuan task in front of them to keep teachers teaching and students learning, and for the most part, they were up to the task. About 72 percent of schools provided Chromebooks, tablets, and hotspots to students, and 59 percent distributed laptops, external microphones, and webcams to teachers. More than 70 percent deployed new software tools for distance learning, including Google Classroom and Zoom.

Unfortunately, despite super-human efforts by some educational IT teams, lack of resources, personnel, and budget have strained an already impacted security posture to nearly the breaking point. About 76 percent of respondents experienced connectivity issues, 30 percent suffered a Zoombombing attack, and 52 percent of teachers had to step in and solve an IT or security issue for students and parents. On the bright side, actual cyberattacks were relatively rare.

So, what can educational IT teams do to improve their school’s security posture in 2021 and beyond? Here’s what the report suggests:

  • Create and train teachers and staff on new cybersecurity policies relevant to distance learning (For other businesses, this can be an additional set of rules related to remote work/work from home)
  • Develop requirements that direct teachers and parents to the appropriate point person in IT or security, should issues arise that need solving quickly
  • Implement access rules, including whether students should use a VPN or password manager to access the school’s network and accounts
  • Host cybersecurity training events for teachers, staff, students, and parents

For more information on the state of education security in the US, read the full report from Malwarebytes Labs here: https://resources.malwarebytes.com/files/2020/12/Lessons-in-cybersecurity_How-education-coped-in-the-shift-to-distance-learning_Malwarebytes.pdf