Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, January 7th, 2022. Iโm Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
ย
Iโll be joined in a few minutes by Terry Cutler, the head of Montrealโs Cyology Labs, to discuss some of the weekโs top stories. But first a recap of the news from the past seven days:
The Karakurt data-stealing gang is going strong. Just as the year ended it named 11 American and Canadian organizations it had hacked. It demanded bitcoin or the companies would be embarrassed by the public release of stolen data. Terry and I will discuss attacks on small and mid-sized companies.
Weโll also look at a report by New York State into the widespread use of credentials stuffing by threat actors, and the promise by the U.S. Federal Trade Commission to go after companies operating in the United States that donโt act fast enough to close holes left by the Apache log4j vulnerabilities.
Elsewhere, security researchers at Sygnia reported finding a new threat group thatโs been stealing millions from financial institutions in Latin America. Often its initial way of breaking in is by targeting legacy Java applications running on Linux servers. Companies around the world should be on guard.
Another third-party supply chain cyberattack has been discovered, one that goes after real estate companies. Real estate websites often offer videos of properties for sale. But researchers at Palo Alto Networks say a gang compromised a cloud video hosting platform that some real estate companies use. The malware gets downloaded to the victimsโ websites and then inserts JavaScript code that skims off sensitive information that real estate customers enter in online forms. Thatโs why this is called formjacking. Cloud application providers and website administrators have to watch for signs of compromise.
Finally, a California man this week admitted to conspiring to commit wire and securities fraud for his role in a $50 million internet-enabled investment fraud scheme. The man and others created 150 fraudulent websites to convince people to buy certificates of deposit with high average rates of return. Some of the websites closely resembled sites of real financial institutions, real enough to fool at least 70 people. The man will be sentenced in May.
(The following is an edited version of a discussion. To hear the full conversation play the podcast)
Howard: Terry Cutlerโs going to join us now. I want to start with my report about the Karakurt gang announcing 11 more victim organizations in the U.S. and Canada, including Montrealโs tourism agency and a heavy construction equipment manufacturer in Western Canada.
An Accenture report on the Karakurt group says it typically uses stolen or weak credentials to get into organizations โ weโll come back to this tactic in another story later in the podcast. But once again bad passwords and lack of multifactor authentication comes back to bite companies.
Terry: Unfortunately, weโve talked about [needing] multifactor authentication for years. Passwords are really terrible. Itโs hard to create strong passwords. People forget their passwords so they create weak ones. Theyโre leaking on the dark web and being reused. You need to have multifactor authentication in there to prove that itโs something that you have and it really is your account to be able to use it.
Howard: The Accenture report also talks about this gangโs tactic of โliving off the land.โ
Terry: โLiving off the landโ is when an attacker uses whatโs at their disposal on the victimโs system, tools like Bitlocker thatโs built into Windows, that bypass endpoint detection and response technologies. Itโs very hard just to stop these types of attacks.
Howard: These are tools that are already in your IT environment, like PowerShell. Crooks use them instead of custom tools that may be detected because theyโre unusual. Theyโve just been theyโve been added by the crooks to the IT environment. Theyโre using things like PowerShell, and as you say, Bitlocker against yourself. So how do you defend against that?
Terry: How IT defends against that is very very difficult. You know we have to really look at a proper detection and response plan.
Howard: Certainly itโs going to help if youโre monitoring your network closely and youโre looking for signs of suspicious activity. Youโre looking for suspicious use, for example, of PowerShell.
Terry: Right. So hereโs a problem that weโre seeing when it comes to protecting your business: We all know to create a strong password, to turn on multifactor authentication, to not click on links youโre not supposed, to watch out for suspicious websites. Youโve got ransomware, viruses, worms, Trojan horses, botnets and zombies โฆ I could totally relate as a business owner and not feel overwhelmed by all of these things to look for. Just look at ourselves as cyber security experts. I receive about 30 emails a day that talk about the latest vulnerabilities in different products and services. Even I have a hard time keeping up.
Howard: Looking at the list of recent alleged victims of the Karakurt gang, they can all be classified I think as small to medium size organizations. One is a digital marketing company, one makes custom bathrooms, oneโs a Canadian first nation community, another is a Canadian data management consulting firm. Weโve talked before about the problems of small and medium-sized businesses. What are they doing wrong when it comes to cybersecurity?
Terry: A lot of the common feedback I hear is that cyber security or internet safety is not very interesting. They see no value because they feel theyโre not a target. And thereโs too much technobabble. The management team doesnโt understand what the technicians or IT guys are saying โฆ They donโt realize that hackers are actually in their system for months or years prior to being detected. So the biggest theme that Iโm seeing from these small and medium businesses is that they donโt know where to start.
A lot of times theyโve never had a cybersecurity audit, or never had one in years. They protect their IT networks like the one in their home. They think that because their management team, for example, is trained that if we have an antivirus, a firewall and encryption that weโre safe โ but in reality weโre seeing that they have no [malware] detection in place, or a response plan to take action in case they find a cybercriminal in their system โฆ
Thatโs my common theme: Letโs get an audit to see where you are today, and look at where you should be and where you need to be. These reports are going to show things like user accounts that are still active in a system for people that havenโt been with the company for months or years, problems with patch management, IoT devices that are on their network that might not be secured properly and could bypass all their security, terrible passwords, weird logins at odd times of the night. Thatโs list keeps repeating.
Howard: Whatโs your most persuasive argument to get SMBs to pay more attention to cyber security?
Terry: A lot of times I say, โGo talk to one of your peers.โ Hereโs a perfect example: We worked with a transport company. Another transport company got hacked. Our client saw that it cost them close to $300,000 in damages โ everything from paying the ransom to getting IT staff on site to rebuilding their network โฆ My last argument would be let me just run a free cybersecurity assessment on your network. If I donโt find anything then youโre good to go. And then they see that their IT guy hasnโt been telling them the whole picture.
Howard: Another big story this week was the release of a report by the New York State attorney generalโs office into credential stuffing. For those who know thatโs when cybercrooks stuff stolen usernames and passwords into login forms until one works. Tell us more about this investigation.
Terry: To bring this threat to the attention of the public the attorney generalโs office stalked a bunch of criminal websites that were selling over 1 million stolen and tested usernames and passwords. They could be used against 17 well-known businesses like retailers, restaurant chains and also food delivery services. Itโs critical because these attacks hadnโt been detected before. Thatโs why as I mentioned earlier itโs very important that we get security audits done because we can see these weird logins happening. A lot of these companies may not have continuous monitoring in place to find these types of attacks, or theyโre not maybe protecting their privileged access accounts.
Thatโs why itโs very important to have technology in place that can detect if a user signed in one location and tries to sign in at the same time from another location โ which would be suspicious. Technology would cut off the access and report it to the management team.
Howard: The report quotes a study that finds victim firms lose an average of $600,000 a year to credential stuffing, from lost customers, from application downtime and from increased IT costs. Tell us about some of the reportโs recommendations on how you can lower the risk of being victimized.
Terry: Three recommendations are 1) have a bot detection service in place that detects credential stuffing, 2) turn on multifactor authentication, and 3) use password-less authentication โ although I have a hard time with this. A lot of legacy applications canโt support that type of technology
Howard: The report says that one of the most effective safeguards is preventing customers from storing their credit card numbers in your organization. Businesses do that so customers donโt have to keep re-entering their data. But it also allows cyber crooks to use accounts theyโve hacked through credential stuffing. So itโs a best practice to require customers to re-enter a credit card number or security code when theyโre buying a product. The report says itโs critically important that re-authentication be required for every method of payment that a business accepts.
Terry: Thatโs thatโs key because when a cybercriminal breaches your computer system he could do things like extract all the passwords that are stored in the customerโs browser, and that includes credit card information. The problem that I see here is around the consumer space where they think itโs all about convenience. And when they have to re-enter their password all the time, re-enter their credit card stuff all the time theyโre going to see this as a major hassle and they may not want to shop there anymore. There has to be a cultural change.
There report also talks about the importance of having a written incident response plan. This is a service that keeps us really, really busy because a lot of times a cyber criminalโs been in your business for months and years. Have no response plan to get them out or if thereโs a ransom attack, organizations are just scrambling. They donโt know what services to bring back online first. They donโt know who to call. They think theyโre going to call the police and theyโre going to come in and save them. Itโs just not going to happen. So they need to have proper procedures in place to know what steps to take to bring an IT environment back up as quickly as possible.
It will also help when you make a cyber insurance application.
Howard: Before I leave this story listeners should know that that New York state in addition to the report released a very handy and free business guide for credential stuffing attacks with valuable advice for blocking this kind of attack. And thereโs a link to that report here.
Finally, I want to look at word that the U.S. Federal Trade Commission which is a consumer protection agency, says that itโs going to slap companies that arenโt patching for the Apache log4j2 vulnerabilities. In case youโve forgotten, these newly-discovered vulnerabilities are in a wide range of applications that use it for logging capabilities. Organizations around the world are still searching their applications for possible use of log4j and theyโre trying to stay ahead of threat actors by patching. But some arenโt patching fast enough. So the FTC trying to give American firms some encouragement by reminding them that the agency can act. My question to you, Terry, is should government agencies speak softly and carry a big stick? Or should they let the private sector handle cyber threats and cyber attacks?
Terry: I think weโre at a point where cyber security needs to be taken really seriously. But I feel businesses or business owners are only going to make a change once itโs put a hole in their wallets. I think governments should step in once an investigation has shown that companies have put very very little in place to prevent a data breach. Iโll give you an example: We had a firm that was really cheapo on cybersecurity, to the point where they even went on BitTorrent to get pirated copies of antivirus software. But they didnโt know that what they downloaded software had a back door in it and it and it took control of their their their customersโ information and all hell broke loose.
Howard: And one might expect that if youโre looking for free software some crook has already compromised it.
instead of the government being tough and maybe other parts of of the business sector should be tough. How about banks canceling loans or credit for companies that donโt meet certain cyber standards?
Terry: I have heard of businesses trying to qualify to work with a bank and get denied because their cyber security audit results are horrible. Iโm also seeing more and more insurance firms actually canceling renewals of cyber coverage after a companyโs been breached, or theyโre actually refusing them because they donโt qualify.