Welcome to Cyber Security Today. From Toronto, this is the Week in Review edition for the week ending Friday April 1st, 2022. Iâm Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Â
In a few minutes Iâll be joined by Terry Cutler, head of Montrealâs Cyology Labs, to discuss a few headlines from the past seven days. But first a brief roundup of some of what happened:
World Backup Day urges IT departments to take a rigorous approach to backing up corporate data. Terry and I will go over what you need to be doing.
Trellix issued a report on nation-state threat actors. These are countries, or their proxies, who are largely doing espionage and stealing corporate information, such as product or pharmaceutical secrets. Seventy-four per cent of survey respondents suspect that a state actor targeted their organization in the previous 18 months. Terry and I will delve into this report.
Weâll also look at reports that internet providers and companies, including Apple, are sometimes fooled into giving away information about subscribers by crooks pretending to be police dealing with an emergency.
The province of Newfoundland and Labrador admitted that more than 200,000 patient and employee files were accessed in a cyberattack that temporarily crippled the healthcare system last November. The actual number of people affected might be smaller because of repetitions in the files. One healthcare region hacked said it is paying closer attention to user passwords and multifactor authentication as it rebuilds its network.
Meanwhile the Hive ransomware gang claims it hit a California non-profit agency that helps people access healthcare in the state. The agencyâs website says itâs investigating certain activity with a forensics specialist.
Last week police in England detained and then released a bunch of people between the ages of 16 and 21 that reporters suspected of being part of the Lapsus$ extortion gang. Perhaps they werenât as deeply involved as was thought, because this week the Brazil-based IT company Globant admitted it was hit by Lapsus$. The company said a âlimited selectionâ of its source code as well as project-related documents of a very limited number of clients were accessed.
UPDATE: U.K. police have laid charges, according to the BBC. Two teens are charged with three counts of unauthorized access with intent to impair operation of, or hinder, access to a computer, and two counts of fraud by false representation. The 16-year-old, has also been charged with one count of causing a computer to perform a function to secure unauthorised access to a program.
More malware-infected software packages were found in the NPM open-source library, another warning to developers that code taken from these libraries need to be closely scanned before being put into their projects.
Police in a number of countries arrested 65 people including nine U.S. residents, two Canadian residents and 12 in Nigeria as part of a global crackdown on business email compromise scams. Often these are scams that convince employees to transfer money to what they think are legitimate bank accounts. They do it by cracking emails and pretending a customer is changing banks.
Finally, in case you thought ransomware attacks arenât too costly a customer relationship management software company called Atento said an attack last year cost it $42 million. Of that $34 million was lost revenue, $7.3 million was spent on repairing and improving IT systems.
(The following transcript has been edited for clarity)
Howard: Letâs start with the importance of a solid IT Backup strategy. I think it would be obvious because data theft has been with us almost since the beginning of the public internet. However, big causes of data losses are also hardware failure and human error. Yet some companies, big and small, still donât get backup right. The only way they find out is when thereâs a crisis. Why is that?
Terry Cutler: Making a backup and not testing. Itâs like not having a backup at all, and not just that we have to also worry about can hackers get into the system and actually wipe out that data. Weâre seeing whatâs happening in Ukraine with the wiper malware. So itâs very important that you know who has access to the data. If the internal backups are being wiped can we can we get access to to the backup?
Howard: So itâs important to have a rigorous backup strategy because itâs part of your disaster recovery strategy. What are some of the worst backup incidents that youâve come across in your career?
Terry: One happened a couple of years ago when a customer got hit with ransomware. All of their current backups were were were encrypted. And the attackers were asking for over a million dollars to recover the data. They tried their tape backup but found out that their offsite tapes werenât being regularly changed so that data was over seven months old â and when youâre dealing with health information you need to have more regular and more up-to-date copies of your data. They tried to restore the data from the tapes. But then we found out that the server thatâs being ransomed is the only server that can run that old version of software for the tape to be able to re-index. Then we found out that the database [on the tape] was corrupt it would have taken weeks to re-index it. We sent it out to a data recovery firm and were able to recover most of the data, but itâs still seven months old. So test your strategy.
Howard: Experts say you need a 3-2-1 backup strategy. Explain that.
Terry: The 3 represents having three copies of your data at all times. Two of those should be on different media. And one of them will be held offsite.
Howard: A lot of it people get confused between an incremental backup and a differential backup.
Terry: The biggest difference is that the incremental backups will only include data thatâs been changed since the previous backup. Letâs say youâve backed up a terabyte of data but only 200 megs of it changed. Itâs only gonna back up 200 megs. A differential backup will back up all of the files since the last full backup. Differential copies will help you recover faster because you just have to restore the full copy, then just restore the latest differential copy. The danger youâll have with incremental copies is that you may have 17 copies to fully restore data. If one of those copies is damaged itâll break the whole chain of recovery. So thereâs a lot of risk.
Howard: Another thing to keep in mind is youâve got to make sure that your backup isnât always linked to your live network. That can be difficult if youâre in a business where youâve got to make like backups every 30 seconds.
Terry: Thatâs the example I just gave. You had two side-by-side storage units with a fiber-optic connection between the two making backups of each other in case one failed. But because they were on the same network they both got encrypted.
Howard: So when youâre planning you got to make sure that doesnât happen. I came across a list of common mistakes that small IT departments make and they include things like inconsistent backups, forgetting that there are other offices in the company that may be outside the main branch, ignoring mobile devices, relying only on physical storage, not using your backup softwareâs automation features, forgetting your archive needs and not storing a copy of your backup offsite. Are these the kinds of things youâre seeing?
Terry: Yes, and I think that the moral of the story comes down to test, test, test. And I think itâs also really important that you have proper software and hardware inventory, because, going back to that [ransomed] customer, they werenât prepared for this. So they had no idea where their software installation keys were, they didnât know where to download the software for their accounting solution, didnât have the proper license keys to activate the products. In another case they didnât know what third parties have access to their network. So they might be fully secured from external threats, but they donât realize that a third party has access to the internal network to sensitive information. We saw in a previous case where an MSP (managed service provider] got attacked and the attackers got into 40 of their customers via TeamViewer and ransomed them all. So itâs very important to know who has access to your data. The other thing is how fast can you recover from any type of disaster?
Howard: One thing that thatâs vital to remember is that cloud providers probably donât back up the data that you have with them. Email providers like Gmail or your web hosting provider may not be backing up your backup.
Terry: There was a high-profile case that just happened recently with [cloud storage provider] StorageCraft. By human error they accidentally destroyed all customer backups. And that is is pretty much every CEOâs nightmare. They get hit by ransomware and thereâs no data backup. Whatâs worse is that some customers of StorageCraft could also be managed service providers, who have their own customers. So if their customers ever got hit. Um, theyâre trying to rely on storage craft to recover their data. Thatâs why offline backups are key.
Howard: There was a problem with a Canadian company called Web Hosting Canada. They lost some data and some customers might have had trouble because the provider didnât have immediate access to their data. [Most but not all website data was recovered]
Terry: Itâs like the whole zero trust model â Have your proper offsite backups. Trust no one.
Howard: And you need to do two vital things: Once you have a backup strategy, youâve got to regularly verify the integrity of your backup data and youâve got to have it staff practice restoring your data.
Terry: Exactly.
Howard: You can get lots of good advice on backing up on backup strategies from your existing vendors. You donât necessarily have to hire a consultant. The big IT suppliers that you already deal with, including Microsoft, will have free advice. And so does your trusty taxpayer-supported sources, which are governments. In Canada thatâs the Canadian Centre for Cyber Security, in the United States itâs the Cyber Security and Infrastructure Security agency, and for those of you in the U.K. who are listening, itâs the National Cyber Security Center. Theyâll have free advice that will get your IT department thinking about how you can develop and a mature store backup strategy.
Howard: Letâs turn to the Trellix report. For those of you who donât know, Trellix is the name of the merged FireEye and Mcafee Enterprise companies. This is one of the first reports from the new firm and they talk about the importance of being aware of nation-state or nation-state-supported threat groups that may attack your company for a variety of motives. What I got from this is that organizations underestimate the number of attacks from nation-states that they may face. What did you learn?
Terry: From this report, but also from the years that Iâve been going back and forth with my friends in Ottawa who helped investigate this exact matter[foreign interference]. Years ago they [the RCMP] didnât have the expertise nor the jurisdiction capabilities to stop this. The other thing is when someone [a nation state] has embedded themselves into things like firmware itâs very, very difficult to know there are beaconings [back to the group] going on.
Thereâs no silver bullet to stop the hackers from getting in, but there are technologies and experts that exist that you can have in the background that will give you a holistic situation, a situational awareness of your entire network. So while these components are being attacked the company would be able to get notification that these weird things are happening. It really comes down to visibility: Do you have detection technology in place to notice somethingâs going on? And you have a response plan to get the hacker out once heâs been detected?
Howard: One of the dangers of a nation-state attack is data theft of intellectual property that could lead to the collapse of your company because it passes on the data to one of its prize companies and puts you out of business. The report doesnât mention it, but one example is the collapse of Canadaâs Nortel Networks. There was one Nortel official who investigated suspicious activity on the network and is certain that the theft of intellectual property from hackers from China led to Nortelâs downfall.
Terry: They were warned multiple times by intelligence agencies.
Howard: Is attribution of an attacker important? Isnât it my job as a CIO or CISO or IT leader to protect important data no matter who attacks me?
Terry: The problem is sometimes youâre too close to the data you lose sight of whatâs possible. Thatâs why itâs important to go to a third party that can look into these matters for you and get fresh eyes on your situation. Weâre going to find things that you typically wouldnât think of. A lot of times customers donât have the in-house expertise. The CIO or CISOâs job is to bring as much risk visibility into the organization as possible. But sometimes they just donât have the staff to do it.
Howard: So what should companies do to blunt the threat of a nation-state attack given that countries have the luxury of time and money behind these attacks?
Terry: It really comes down to can you monitor your network in a holistic way and look at all the traffic thatâs leaving your company. Look for things like beaconings to unapproved servers in China or Russia when your organizationâs in Canada. That might not be normal. Make sure you have endpoint detection and response technology.
Howard: Finally, you spotted an interesting post by American cyber reporter Brian Krebs. Tell us about that.
Terry: Hackers were able to break into law enforcement agencies and used legitimate email accounts to ask for urgent request information from providers. Usually if law enforcement wants information about a specific individual they need a subpoena [or court order] to get it, but there is a process called an urgent request that law enforcement can make. Companies like Facebook or Apple will provide that information because itâs coming from a legitimate source. But in some cases cybercriminals got into a legitimate law enforcement email address and asked for peopleâs information like the address of a subscriber, their IP address and some other personal details.
Howard: Just to be clear there usually has to be a matter of life and death so police can quickly track down who is behind a cyber attack or an imminent criminal offence. There was a mention of Apple and Meta from Bloomberg News. Meta, of course, is the parent company of Facebook. Sources told Bloomberg that these two companies ah provided customer data to hackers who were masquerading as police. Meta issued a statement saying, âWe review every data request for legal sufficiency and use advanced systems and processes to verify law enforcement requests and so we can also detect abuse. We block known compromise accounts from making requests for work with law enforcement to respond to incidents involving suspected fraudulent requests.â And in this particular reported case theyâve also Investigated it. It seems to me that and this is a matter of perhaps police forces are trusting email, like a lot of other companies do. And in some cases they may not have the processes that they need to make sure of the authenticity of a request for personal information.
Terry: It sounds to me that law enforcement needs to beef up their cyber security. There is technology out there that monitors email accounts that looks for whatâs called impossible travel. For example, one day youâre logging in from Montreal as as a police officer, the next hour youâre logging in from Lagos, Nigeria. An alert would be triggered and it can block the account.