Published on May 28th, 2022 📆 | 2422 Views ⚑
0Cyber Security Today, Week in Review for Friday May 27, 2022
Welcome to Cyber Security Today. From Toronto, this is the Week in Review for the week ending Friday May 27th, 2022. Iâm Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Â
In a few minutes Iâll be joined by Terry Cutler, head of Montrealâs Cyology Labs, to discuss some of the news from the past seven days. First, a roundup of highlights:
Once again ransomware was big in the news: Researchers said that for various reasons the Conti gang has decided to shut down its brand and instead work through affiliated gangs Terry and I will discuss if infosec pros should care.
Meanwhile a new extortion group called RansomHouse has emerged. According to one news site, it claims the Saskatchewan Liquor and Gaming Authority was a victim in December.
The latest annual Verizon Data Breach Investigation Report was released. The authoritative report, which analyzes information on cyber incidents and data breaches from a large number of cybersecurity companies, found ransomware incidents were up 13 per cent last year over 2020.
It also found mistakes by employees, partners and others were responsible for 14 per cent of all data breaches in 2021.
Terry and I will also look at a report that hackers found a way to open accounts on social media and other sites in a victimâs name with just their email address with the goal of stealing their personal information.
Clearview AI, which sells facial recognition software to police forces, has been under attack for a long time for copying billions of images of people off the internet to use for comparative purposes. Itâs facing new problems: The United Kingdomâs privacy commissioner has fined the company the equivalent of over $9 million for using peopleâs faces without their consent. And it ordered Clearview to delete the images of UK residents from its databases. Clearview has also been fined by regulators in France, Italy and Australia. In Canada, Clearview is fighting an order by privacy commissioners here to delete the images of Canadians in its databases.
Finally, thereâs more fallout from the Cambridge Analytica scandal. The now-defunct British firm acquired personal information about tens of millions of Facebook users from an app developer. The city of Washington, D.C., launched a lawsuit against Mark Zuckerberg, who heads Facebookâs parent company Meta. It alleges Facebookâs failure to tell users their personal information may be shared with third-party applications without their knowledge misled subscribers. In 2015 Facebook was fined $5 billion by the U.S. Federal Trade Commission over the incident.
(The following transcript has been edited for clarity)
Howard: Ransomware gangs often rebrand as law enforcement agencies crackdown on them. But this week came news that the Conti ransomware gang, known for attacking big companies and government departments, is retiring its brand to instead work closer with other gangs. What do you make of this news?
Terry Cutler: Weâve heard this before â a group retires, then they come out of retirement and they rebrand. I think whatâs happening here is that thereâs just way too much heat on them [Conti] and some of their members may be getting a little scared. Some are asking the group to like tone it down a little bit. Thatâs why I think theyâre switching now to smaller groups. I think after they threatened the Costa Rican government thatâs where theyâd rather just work with other operators like Karakurt or BlackByte. Remember, itâs the Conti brand thatâs shutting down. The actors are still there. Theyâre just shutting things down like the negotiation site, the chat rooms, the messenger servers and the proxy servers. That doesnât mean that the threat actors themselves are retiring.
Howard: The research, which was done by a firm called Advanced Intel, argues that the recently and highly-publicized attack on government departments in Costa Rica has been used as a smokescreen for Contiâs strategy shift. In the past couple of weeks Conti has made us think that itâs trying to overthrow the government, but itâs really restructuring. What do you think?
Terry: I think thatâs part of their great grand finale, to use this as a publicity stunt. This way they can perform their own death, and then maybe, a rebirth. We have to see whatâs going to happen. But I also heard that things were a little bit toxic, too, because the group pledged their allegiance to Russia and was in favor of the invasion of Ukraine. Maybe that didnât sit well with other members. Thatâs why there was some leakage of some private gang chat messages and logs.
Howard: That would appear true according to some interpretation. The leak was a bit of vindictiveness by someone regarding the Conti endorsement of the Russian invasion of Ukraine.
So for those of you who are keeping score, this report says Conti will focus on supporting data-stealing groups as Karakurt, BlackBasta and BlackByte, as well as ransomware groups called AlphaV/BlackCat, Hive, Hello Kitty and AvosLocker. So if Iâm a cyber security leader at a company because Conti is doing this do I need to change my strategy in any way?
Terry: First Iâd like to know who comes up with the names of these groups.
Your defences really come down to visibility [on the network]. The goal here is to shrink your attack surface as much as possible. We know thereâs no silver bullet to stop a hacker, but you want to make it as difficult as possible for them to get in. A lot of companies right now donât have the right tools or the automation in place, or maybe not even working with the right outsourced partner. So I donât think theyâre going to fare well in a cyberattack, because thereâs so many ways for an attacker to get into your system. IT is dealing with phishing attacks, untrained users, stolen passwords, unpatched systems, they donât have EDR [endpoint detection and response software] in place, thereâs no network monitoring, no log management ⊠The IT department has to deal with all these ways that attackers can get in. And on top of that IT people are not necessarily trained in cybersecurity or incident response and forensics. They need to team up with a cybersecurity expert or firm to keep an eye on their infrastructure.
Howard: Listeners may recall that a year ago an international group of researchers and vendors called the Ransomware Task Force issued a report, which in part called on governments to take more action to fight ransomware groups. Last Friday it issued a first-year report looking back at what was accomplished. Admittedly fighting cybercriminals in the digital era is no small task, but most researchers including the annual Verizon Data Breach Investigation report â which was released on Tuesday â agree that ransomware is only increasing. However, some governments and insurance agencies think itâs slowing down or at least stabilizing. This lack of consensus is a challenge, the Ransomware Task Force authors. Briefly, the Task Force believes that of its 48 recommendations thereâs been tangible progress on 12, such as promises by a number of governments to work together to fight ransomware. Hereâs an example: The U.S. said that itâs about to convene a joint [inter-department] ransomware task force which was mandated under a recently passed federal law. My question to you is, are governments doing enough â and in particular is Canada doing enough to fight ransomware?
Terry: Hereâs the biggest challenge. Itâs all around attribution â finding out where these people [threat actors] are, and as you know itâs really difficult to find out whoâs behind these attacks because thereâs so many ways to hide their tracks. And the moment theyâve uncovered one server there might be no logs on there or if there are logs the guyâs hidden another one. So eventuallyâs gonna be no logging. In some cases thereâs going to be human error â maybe the [victimâs] backups werenât done properly and thereâs months of data missed. Youâre faced with the challenge of do we pay to get our data back or do we not pay it and lose our data? ⊠Thatâs a big challenge, especially with small businesses: If you donât pay that ransom and you donât have a proper backup that youâre going to go out of business. But when organizations donât pay attackers lose their main revenue stream. Thatâs why theyâre going to go after small medium small and medium businesses, and critical infrastructure providers ⊠Thatâs why I think the focus now is going to be on helping organizations prepare and respond to these types of attacks.
Howard: Also this week, researchers at Cyberint released a report on a new extortion group called RansomHouse. It specializes in stealing data and then holding it for ransom. So it doesnât bother with encrypting data. According to the Bleeping Computer news site, the Saskatchewan Liquor and Gaming Authority was one of its none victims. In December the authority acknowledged being hit by a cyber incident. That forced it to temporarily take IT systems offline. This is seemingly part of a new trend for threat groups to just forget about infecting a firm or government with ransomware â just steal the data and hold it for ransom.
Terry: Again, it all comes down to no [network] visibility inside these organizations ⊠Thereâs a tactic that I tried a couple of years ago where you could do some advanced Google searches to see if customersâ data leaked because they were misconfiguring their database backups. And it was actually copying the data to another server, but it was unlocked. So we would try and contact these customers and say, âYour data is is visible. How about we come in and do a cyber audit to help lock you down.â And we would be accused of being the hackers trying to extort them. Thatâs why itâs very difficult to try and help organizations take cyber security seriously.
Howard: Companies shouldnât feel theyâre defenseless. They actually have quite a bit of control over their defenses.
Terry: One of the things they need to do is a cybersecurity audit, especially if they havenât had a penetration test done in a long time â and a penetration test is essentially what hackers are doing. Theyâre giving you a free penetration test â but if you fail you just lost your data. The difference with us on the ethical hacker side is that weâre going to provide you a report that shows you all the vulnerabilities. And itâs going to cost far less to get a proper audit done than having your data ransomed.
Howard: The last story that I want to look at was an interesting report about crooks tricking people into getting social media and other accounts that they didnât know they had.
Terry: Cybersecurity researchers were able to reveal that hackers can actually hijack your online account before you even register them. They did this by exploiting a flaw thatâs now been fixed in most popular websites like Instagram, Linkedin, WordPress, and Dropbox. Itâs called a pre-hijacking attack. The hacker needs to know your email address. They can find this out either by email correspondence or through data breaches. The attacker then creates an account on a vulnerable site. The site sends confirmation emails to you. The hope is you get annoyed by this email and confirm or create the account. If you do either you use the password the attacker set up. If you ask for a password reset the hacker sees that, too. The problem is thereâs a lack of strict verification of email registrations. The best way to deal with this is that once youâve registered your account immediately activate two-step verification.
Howard: So this is another form of whatâs broadly called a social engineering attack. The crooks are betting that youâre going to get tired of being pestered by a notification about an account you didnât know you had and so youâll ask for a password reset. But one way or another the crook still has access, so eventually theyâre going to start to get personal information about you. This is especially dangerous if what they do is they get hold of your Linkedin account. Thereâs a number of techniques that the crooks can use so Iâve simplified it. Isnât this a major failure of websites and their process management?
Terry: Itâs a registration process. Sites want to make it as simple as possible for users to be on-boarded, because if itâs complex either they wonât subscribe or theyâre going to start emailing the support hotline. But itâs up to sites and people to secure their accounts. Cybersecurity is everyoneâs responsibility. Multifactor authentication is one of the biggest keys to stopping these breaches and people are still not using it.
Gloss