Welcome to Cyber Security Today. This is the Week in Review edition for Friday, December 23rd, 2022. From Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes Terry Cutler of Cyology Labs will be here to talk about some of what happened in the past seven days. First, a recap of the headlines:
The U.S. Justice Department seized 48 internet domains of crooks offering DDoS-for-hire services. Terry and I will talk about that. We’ll also look at the Samba project, which issued four patches to plug vulnerabilities, and at how trying to save money is getting government departments in Ukraine hacked, a group is attacking Russia
Canadian supermarket chain Empire Co. said may have to take a charge of $25 million to its finances for costs not covered by cyber insurance after the cyber attack it suffered last month.
Personal information of customers who dined in restaurants that use the SevenRooms customer management platform is being offered for sale on the internet. SevenRooms told the Bleeping Computer news site that a file transfer interface of a third-party vendor was hacked, allowing a crook to steal information such as customers’ names, email addresses and phone numbers.
The Agenda ransomware strain now has a version written in the Rust language. Researchers at Trend Micro say the version doesn’t yet have the same features as the original written in Golang. Hackers are increasingly using Rust because it is more difficult for IT defenders to analyze and isn’t easily detected by antivirus engines.
Last month I reported that the sports betting site called DraftKings had suffered a cyber attack. Last week the company told the Maine attorney general’s office how big it was: Personal information of just under 68,000 players was copied. According to letters sent to victims, attackers may have accessed their username or email address plus their password to access their DraftKings account. In some cases funds were stolen. The money lost has been restored.
Cisco Systems issued a security advisory for a critical vulnerability in its IOS and IOS XE software that was patched in 2017. The advisory is essentially a reminder to Cisco administrators to install the update if they haven’t done so already.
And FoxIt issued security updates for version 12.1 of its PDF Reader and Editor.
(The following transcript has been edited for clarity. To hear the full conversation play the podcast)
Howard: Joining us now from Montreal is Terry Cutler. Let’s start with Samba. The Samba project issued four patches to plug vulnerabilities. First, what is Samba?
Terry: In a nutshell Samba is the standard interoperability suite that allows integration of both Linux and Windows. This will allow IT administrators to link Linux and Unix servers and desktops into Active Directory. This way administrators can manage setup and configuration from one place. A lot of large companies deploy Linux because it obviously takes less resources, and it’s more stable than Windows, in my opinion. The challenge is finding Linux experts to manage these things. One of the reasons why some get installed is so it could be centrally managed.
Howard: How serious are the four vulnerabilities that the Samba project identified?
Terry: By default Samba will accept connections from any host, which means that if you run an insecure version of Samba on a host that’s directly connected to the internet you’re especially going to be vulnerable. But here’s where it gets worse: If the Samba server is misconfigured and allows unauthenticated users to connect to it then an authenticated attacker could leverage a cryptographic flaw … This will allow the security feature to be bypassed in Windows Active Directory. Now attackers can leverage a Linux box to gain access to a Windows environment.
Howard: Do IT departments that generally run Samba well-configured?
Terry: In my opinion it’s not always safely configured. A lot of times we’ll find configurations that are set for anyone, so it’s like a general public folder where anyone could upload malicious content to that folder, and then somebody will open it. We’ve seen it in a case where it was vulnerable and it could be exploited.
Howard: Do these new patches that were just announced need to be installed fast?
Terry: Here’s the challenge: Microsoft released some patches in November as part of their patch Tuesday to stop an attacker from gaining access from that Samba exploit. So now administrators have to get this patch out as quickly as possible. But there are already log4j vulnerabilities still lingering. There’s obviously problems with patch management solutions. They’re not getting their stuff done in time. Companies don’t have proper asset management, they don’t have proper vulnerability management. And most Linux servers are critical hosts, which means you can’t just simply patch or reboot them. You have to go through a change management process which could take weeks — and then you have the issue of a shortage of Linux experts. I think what we’re going to start seeing in the future is supply chain attacks where you it’s going to like a cross exploit. We’ve got to learn to start doing more with less, so we need more automation.
Howard: Item number two: The U.S. Justice Department seized 48 internet domains that were offering distributed denial of service for hire services. That’s good news to end the year on. Charges were also laid against six American residents. Denial-of-service services are often marketed as so-called legitimate sites that security researchers can use to stress websites and so they’re called stressor services. Or on the dark web they’re called booster sites. Why are DDoS sites of such concern to it t organizations?
Terry: Maybe we can back up a little second here and explain the difference between a DoS attack and a DDoS attack. Imagine you’re browsing a shopping site and you don’t like what they sell. Or you’re a competitor. If they get attacked by one computer sending tons of packets to it, that’s a denial of service attack. Usually most environments are equipped to handle that. A distributed denial of service attack happens when computers of unsuspecting consumers or legitimate websites are infected with malicious code to create a bot. A bot master allows the attacker to launch thousands of computers against that shopping site and overwhelms it. The booster or stressor service offers convenient ways for malicious hackers to conduct DDoS attacks and obscure attribution.
Howard: And the thing is these services are cheap: If you were a crook all you had to do was pay $20, $ 50, $75 and you automatically had an entire configured DDoS attack system ready for you. All you had to do was type in the URL of your target and hit enter.
Usually IT and security teams are worried about data theft. At first blush a DDoS attack is harassment. But it can be more than that.
Terry: Yes. I’ve only dealt with two cases in the last five years. In one a company was selling guitars and I guess a competitor didn’t like them and started attacking them. We found out that they didn’t have proper DDoS protection in place, and they had to buy that. Another one was for political reasons. The attacker didn’t believe in what a not-for-profit was doing, and shot down its site for days. DDoS could also be used for misdirection: While they’re attacking your site they could be launching an attack on another area of your network.
Howard: Are organizations doing enough to fend off DDoS attacks?
Terry: I don’t believe so. They’re not going to think they’re a target until it’s too late and under attack. There’s a chance that you can call up your ISP and have them change your IP address, which will bring you back up. The good news is that DDoD attacks don’t last forever, but it will take a couple of days [to get you back], and if you’re a high transactional site you could be losing thousands and millions of dollars in the meantime.
Howard: News item three: Cyberwar. Last week David Shipley and I talked about cyber war. This week is your turn. A couple of things are going on: Mandiant found Ukrainian government departments were being infected with trojanized versions of Windows 10 installer files. These are called ISO files. Victims are downloading these corrupted versions of Windows from torrent sites, not from Microsoft. With the war on I suspect that IT people in Ukraine must have thought they struck gold by finding a free version of Windows.
Terry: This is crazy, but I had the same experience doing an incident response for another company last year. An insurance company [employee] thought they were going to save money and download an antivirus solution off torrent instead of paying $69. The antivirus was backdoored. It was installed in all his computers and infected his Outlook. Then it started sending out infected zip files to everyone on his contact list. It was sendng emails saying, ‘Here’s your latest quote, here’s the password to unlock the file.’ Because the zip file was encrypted the antivirus solution won’t scan it. Once a victim opens the zip file and executes what’s in it they become infected. The insurance company started getting lawsuits from clients who became infected. Why would you waste time downloading these operating systems and things from torrents?
Howard: IT people at the very least should know you don’t download from torrent sites. These are highly risky places. And if I read the Mandiant report right the organizations that were victimized by this malicious Windows had already been hit by wiperware. So perhaps they were desperate for what they thought was a new and free copy of Windows.
Terry: I’ve seen this before, especially with junior IT folks. They think they’re doing a company a favor by saving money on the license by downloading this backdoor version of an operating system. The problem is a lot of companies don’t have proper network monitoring in place to know that there’s been communication established to a hacker network so they don’t see these things happening.
Howard: The thought that this is an espionage tactic by a Russian group that first hit the Ukrainian government departments earlier in the year with data-wiping malware. Then they let free versions of Windows 10 just sit there waiting for victims to download.
Terry: Imagine if it was actually a spy working for these companies that explicitly swapped out a real version of the Windows ISO file and copied that version in. I had to deal with a situation like that in 2015 at an energy company. There was actually a spy that was hired from China, but we couldn’t prove who it was so at the time. We had to create a special HTML and copy it into a sensitive folder and waited for somebody to open it. And when they did it revealed some information about the operating system on their computer. We could then triangulate where this machine was.
Howard: The other related news was a report by CheckPoint Software that an unattributed cyber espionage group has recently been targeting Russia and its ally in Belarus after years of hitting other countries. This group, which was given the nickname Cloud Atlas, is also going after organizations in the Russian-annexed Crimea Peninsula and in the Donetsk region. Typically the gang’s weapon is a compromised Microsoft Office document. So this is new angle of the cyber war — a group going after Russia. What do you think is going on here?
Terry: Obviously the Cloud Atlas group typically uses phishing emails with malicious attachments to gain initial access to the victim’s computer. What’s interesting is that these documents are carefully crafted to mimic government statements or media articles or business proposals. But here’s the kicker the file might not be flagged as malicious by antivirus solutions because the document itself only contains a link to a template. So when the file comes through the antivirus can say there are no problems here. But the moment someone opens up the attachment the template will be pulled down and execute the malicious code. If you have things like EDR (endpoint detection and response) you’re going to see Word trying to open up a command prompt and starting to do lateral movement. That’s why EDR is so important.
Howard: What struck me was here’s a group a threat group — there’s no attribution to who this group might be — that has been going on for a couple of years and it seems to have switched targets from other countries to now going after Russia and its allies. The conspiracy genes inside me are saying if I’m a western government I might slip a few thousand dollars to a criminal threat group and say, ‘Instead of attacking us. Why didn’t you attack Russia?’
Terry: We are starting to see some of these things. There are reports of ransomware gangs turning on each other.
Howard: The last thing today I want to talk about is the year end. We’re going to hear more from you next Wednesday about the Year in Review. Are there lessons that you’ve learned in the past 12 months from data breach investigations that you’ve participated in?
Terry: We actually surpassed over a hundred audits this year. We’re seeing a common theme: A very large increase in phishing attacks because most companies don’t have the proper technology in place to stop them There’s not enough awareness training to stop this. We’re seeing a lot of people using the same password everywhere online. So when data breaches occur passwords are leaking on the dark web. We’re seeing a lot of unpatched systems. We’re seeing a lot of folks who think antivirus is all they need when in fact, they need endpoint detection and response technology. Or they don’t have network monitoring, especially in the cloud. No log management, and not enough staff with expertise. And the big one I see is they have a lot of tools in place but they have to piecemeal an incident back together again.
If I can provide any advice it’s that you have to understand times have changed. Gone are the days of ‘I have a firewall and an antivirus and I’m safe.’ Those are traditional cybersecurity technologies that can be easily bypassed now … Try to find some tools that can give you a holistic view of what’s going on in your network. Replace your AV with EDR right now … We’re also seeing a lot of turnovers because IT guys are leaving their current employers for the highest bidder. Lastly, I would say invest in good anti-spam systems.