Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday June 21st, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for TechNewsday.com.
 |
 |
 |
In a few minutes David Shipley, head of Beauceron Security, will be here to discuss recent news.
We’ll delve into an investigation into the hack of an organization that went undetected for perhaps three years, more detail on Snowflake attacks and allegations by Australia’s privacy commissioner of what caused a huge data breach of a medical insurance provider.
But before we get to the discussion here’s a look at some of the headlines from the past seven days:
Consulting Radiologists, a Minnesota-based radiology service for clinics and hospitals, is notifying over 500,000 people their personal data was stolen. Information includes names, addresses, dates of birth, Social Security numbers, medical information and health insurance information.
The department of public health for Los Angeles County said a February data breach resulted in the theft of personal information of more than 200,000 people. It started with staff falling for a phishing attack resulting in the theft of email login credentials of 53 public health department employees. Data copied included names, dates of birth, Social Security numbers, medical diagnoses, some financial information and more.
Santander Holdings USA, the American arm of the Santander bank group, is notifying over 12,000 employees of a data theft. In a letter to staff the company says the information was stolen from a third-party database used by a Santander affiliate. Employee information copied includes names, Social Security numbers and bank account information used for direct deposit for payroll.
A two-hour outage of the 911 emergency response system across Massachusetts this week was caused by a firewall issue. SecurityWeek reports some emergency calls to the system couldn’t get through. However, the system saw phone numbers calling in so dispatch centres could call them back and find out if people needed help. The company that provides the 911 system couldn’t explain why the firewall affected its service. But it says it has applied a technical solution to make sure the incident isn’t repeated.
Two American companies that didn’t run required pre-production cybersecurity tests on a federal emergency rent assistance application they oversaw have agreed to pay millions of dollars to settle claims they violated federal law. Guidehouse Inc., which was the prime contractor, paid US$7.6 million, while Nan McKAy and Associates, a subcontractor, paid US$3.7 million. The companies agreed that had the required software tests done before the application went live they might have detected and stopped an information security breach.
Two American residents have been charged with allegedly running the criminal online marketplace called Empire Market. The Department of Homeland Security said the marketplace ran between 2018 and 2020. Changes include conspiracy for drug trafficking, computer fraud, counterfeiting and money laundering. Over three years the site facilitated transactions worth more than US$430 million.
Finally, Google released an update for the Chrome browser to plug six vulnerabilities. Windows users should be on a version that starts with 126 and ends in 115.
(The following is an edited transcript of the first of three topics David Shipley and I discussed. To hear the rest of the talk play the podcast)
Howard: Joining me now from Halifax, Nova Scotia is David Shipley. Hi there
Let’s start with a forensic analysis on a three-year compromise of an unnamed organization. It was done by investigators at an Israeli company called Sygnia. The attacker is a suspected and very sophisticated China-based threat actor. The goal was espionage. The compromise was discovered late last year. The investigation found the organization had been infiltrated about three years earlier. Talk about persistence! And not just in terms of dwell time. This gang, which Sygnia calls Velvet Ant had multiple footholds in the victim organization. After being discovered when the defenders shut one door the attacker quickly pivoted to another. David, what struck you in reading this report?
David Shipley: My first thought is the length of the operation that we’re talking about. Three years is a crazy amount of time for someone to be inside of your network. Oftentimes we talk about that 200 day average that someone might be in a network, but we’re talking about something that’s three-times-plus that. And that’s probably the most important evidence that this is nation-state activity — even more than the tooling or the tactics they’re using. Criminals don’t have time to sit around for three years not making money. But if you’re on a government payroll, well, a different set of motivations … And I think it highlights that when we hear the phrase ‘advanced persistent threat,’ between ‘advanced’ and ‘persistent’ it’s persistent that matters the most and delivers the most value.
Howard: It isn’t clear how this organization was initially compromised. What caught my eye, though, were the number of blunders that IT leaders at this organization apparently made. Here’s one of them. It had two F5 big IP appliances on the network. Now these are for things like firewall and load balancing. The attacker compromised both and used them for its internal command and control communications [after gaining entry]. And how were these devices compromised? Well, they weren’t supposed to be in production on the network. They were installed a long time ago as part of a disaster recovery plan, but the project wasn’t completed. Meanwhile, they stayed forgotten on the network — forgotten and unpatched, which is how they were compromised. Running an outdated operating system and open on the internet. Isn’t this Cybersecurity 101: Do an inventory of all the hardware and software that you have.
David: Absolutely. But what we’ve been hearing repeatedly all this year, on all fronts with all of the big breaches is that this repeat hit song: ‘The basics are hard.’ And here’s the thing: Criminals are increasingly doing cyber judo on defenders, flipping them on their backs using their own defensive tools. And if you aren’t keeping these systems a) tracked and b) up to date I’d argue in some ways it’s probably worse to have a vulnerable security tool [on your network than to have nothing at all because of the false sense of security you feel. I think the damnable part about this is the disaster recovery plan project that never ended that causes the disaster.
The forgotten-about infrastructure is also what got Microsoft in the Chinese hack that was investigated by the U.S. Cyber Security Review Board. This is unsexy stuff. There are no vendor silver bullets for this problem. We’ve had solutions on the market for asset discovery, classification, and management for years. And no, dear AI over-hypers, no generative AI LLM is going to solve this problem either. This is a people, process, culture, and tech problem. And that means it’s messy.
Howard: Here’s what I thought was blunder number two: While IT had commendably installed an EDR solution — that’s endpoint detection and remediation — apparently it was only on all of the company’s PCs. The EDR wasn’t on the Windows servers. So remember when I told you that the defenders started kicking the attacker out of several footholds? The attacker just turned to other footholds. It went on to compromise the Windows servers, and with no EDR that wasn’t noticed. And then the attacker activated previously deployed PlugX trojans that had been dormant in the environment and continued the attack.
David: I’m not sure if this counts as a blunder. This was a three-year-long campaign and how far did the logs go back? Very few organizations I know have more than a year’s worth of logs. Most don’t have a year. The part of the story about this unpatched F5 box has been interesting, but I feel like we’re missing other important aspects. I wonder what else was part of the story, like did phishing play a role in delivering this initial malware to the target? And I also was thinking a little bit how hard it is for people to visualize security coverage.
Maybe this is one of those emergent spaces where augmented reality or different ways of visualizing complex systems and data need to come into play. If you’re doing physical penetration tests on an organization you’re trying to break into you look to see where the blind spots are. And that’s exactly what happened here. Your EDR is your camera on the corner of the building. And if you’ve got blind spots, that’s exactly where the criminals are gonna go.
Howard: Is this a problem in many organizations that you see? They only put EDR on workstations, on desktops, and they forget about putting EDR on servers?
David: There’s a couple of different layers that come into the complexity of security monitoring tools in a server environment, particularly as we’ve had this giant push towards microservices and virtualization and layers of abstraction. And every time you put agents and systems and processes in place on servers, you’re imposing strain and costs and balances. And people would argue there are other mitigating controls. It’s not easy to decide these things. It seems obvious in hindsight, but depending on where in the production order, the stack, the other controls, it may be more complex than what you’re [currently] doing. This also goes to just how hard this can be, particularly if you’ve got a production environment where you’ve got servers that absolutely have to be high availability and you have a strict process on updates, et cetera, and a lower tolerance for disruption. Security tools can sometimes be a tricky balancing act with that. I think in an ideal world, you’ve got layers of observation, lots of cameras watching that corner of the building. And if you don’t have anything, no EDR, no monitoring, no other way of telling something bad, then it’s going to hurt.
Howard: Certainly a factor must have been the lack of device and network logging that would have highlighted suspicious activity.
David: That would have been the compensating control for not having an EDR system on the servers … EDR is good for what it does, but it’s not every security problem is a nail requiring the EDR hammer. But as we’ve seen with other areas, lateral monitoring of activities that happen once you’re inside the house is really hard. It’s also expensive. So a lot of people just focus on ingress/outgress, or what we typically call North-South. This gets back to your earlier point of why wouldn’t you have EDR on every server? Well, if you’re not going to have EDR on every server you really, really want to make sure you’ve got good monitoring to catch [suspicious traffic]. In this case, they had a massive blind spot. And that’s what crooks will use every single time.
