Videos PodcastsBlogsSlideshow
There’s one word or word that sums up my annual cybersecurity review of the year.
“Lack of resilience,” the theme of 2022, highlighting the pan-Canadian disruption at Rogers Communications. “Crazy Mess,” the theme of 2021, due to SolarWinds Orion and other origin chain attacks.
This year, successful ransomware attacks hit a record level. But for me, that only made it the number two story of 2023.
Added to this are the probably endless confessions across thousands of organizations that their MOVEit record-moving servers had been scammed through the Clop ransomware/extortion gang. It discovered a unique vulnerability that opened the door to large-scale knowledge exploitation.
Technically, CVE-2023-34362 is a SQL injection flaw in remote code execution that allows an unauthenticated user to download a shell from the internet and remotely download the application’s database.
According to stats compiled by Emsisoft, by Dec. 20, this one vulnerability spawned 2,691 hacks and the theft of data on over 91 million people around the world.
That’s why I’ve declared 2023 the year of the zero-day nightmare.
Before we get into the nitty-gritty of the MOVEit saga, don’t forget that IT security professionals deserve to have known that log movement servers containing data have been hot targets for malicious actors for years. In 2021, vulnerabilities in the Accellion FTA app were used to hack servers. Earlier this year, Fortra’s GoAnwhere MFT servers were hacked.
In fact, the Clop/Cl0p gang went after the 3 suites of record moves. Do you see a here. . . ?
Add this: According to researchers at Kroll LLC, Clop members were likely experimenting with ways to exploit the MOVEit vulnerability as far back as 2021, before they figured out how to exploit GoAnywhere MFT. For some reason — probably realizing the pickings were much bigger with MOVEit — the gang decided to first go after GoAnywhere servers.
Progress Software’s MOVEit is an on-premises or cloud-based application that compresses, encrypts, and transfers giant files. Customers use it to send files to third parties, such as payroll processors. In fact, many organizations have relied on the knowledge of their customers or employees. stolen, not directly from their servers, but from third-party processors. For example, MOVEit’s engagement in the National Student Clearinghouse, a nonprofit organization that provides reporting and auditing services to U. S. postsecondary institutions, is a nonprofit organization that provides reporting and auditing services to U. S. postsecondary institutions. In the U. S. , it affected approximately 900 schools and 51,000 people. Colorado State University was one such institution. In fact, CSU has been victimized six times through other providers.
Of the data stolen from 91 million people, the largest portion, 11. 3 million, came from Maximus Inc. , which manages many federal, state and municipal systems in the United States. The second-largest amount ($8. 9 million) came from Welltok Inc. , a facility provider for several U. S. fitness plans. The third largest (6. 9 million) came from Delta Dental, a provider of dental insurance plans. The eighth largest ($3. 4 million) was the theft of BORN Ontario, a Canadian nonprofit registry of mothers, newborns and children, whose knowledge dates back to 2010.
According to KonBriefing Research, the vast majority of victims’ organizations (2,290) were in the United States. Canada ranks first (152).
Interestingly, Clop’s strategy was to give up the complexity of deploying ransomware. The gang simply stole knowledge and attempted to extort money from victim companies. It is not known how many capitulated.
IT departments were seemingly defenceless. Or oblivious to suspicious activity (see this Kroll report).
“The MOVEit product is used to exchange data with other companies, which makes it difficult to protect the Internet server,” Johannes Ullrich, head of studies at the SANS Institute, told IT World Canada. “For a zero-day, it is also difficult to extend Internet program firewall regulations or other regulations to protect the server. Tracking logs could have revealed some of the exploitative activity, but not knowing what to look for makes it difficult to identify the activity. .
“In short, it was a hard-to-avoid vulnerability. Some affected would likely have been slow to apply the patch (and would likely have overlooked their exploit search once the vulnerability became known).
Traditionally, at this point, after naming the top news stories of the year, this article lists the notable hacks of the past 12 months. If victim organizations have enough information, CISOs can be informed of some of those incidents: classify your IT assets and prioritize patches. , replace default passwords on network devices such as routers, force workers to use authentication, or app-based multi-factor security. Connection keys, have an experienced incident reaction plan, have an experienced knowledge recovery plan. These classes can be cleverly summarized as “Obey Cybersecurity 101. “
But before I briefly recount those incidents to CISOs and CEOs, I draw attention to two investigations into this year’s attacks: one conducted through the U. S. Cybersecurity Review Board. The U. S. Department of Homeland Security has asked about the reasons and lessons learned from the successful attacks by the Lapsus$ gang. (Two members of the gang have just been convicted via a British judge)
The Board of Directors is a wing of the US Cybersecurity and Infrastructure Security Agency. Made up of public and personal experts who speak behind closed doors with victim companies, their mandate is to read and report on the reasons for significant cyber incidents .
Here are some quotes from the Lapsus$ report: “If well-resourced cybersecurity systems were so easily breached through an organization of poorly organized malicious actors, which included multiple miners, how can organizations expect their systems to stand up to cybercrime syndicates and well?-Funded nations?-State actors?
“The Board has found that the multi-factor authentication (MFA) implementations widely used today in the virtual ecosystem are not sufficient for maximum organizations or consumers. In particular, the Board discovered a collective failure to sufficiently mitigate the dangers related to the use of short message service (SMS) and voice calls for MFA. His advice: Have workers use an authenticator app or security key. The report also criticizes mobile carriers for oversimplifying SIM card swapping for fraudsters. .
Another compelling report to read is the unclassified edition of an investigation conducted by the U. S. Air Force inspector general. The U. S. Department of Homeland Security has reported on the limited data of a low-level airman who allegedly leaked to a political discussion group. It’s a lesson in insider risk and the importance of figuring it out. wanting to know.
Now here’s this roundup of some of the year’s compelling news:
As I said before, the second news story of the year was the ever-increasing number of ransomware attacks. According to NCC Group’s tally, that number was more than 4,000, double last year’s count. to stick to the situation, as corporations or municipalities announced that they had been victims of a “cybersecurity incident”. Others said they had experienced a “crypto event,” avoiding the “r” word.
Among the affected Canadians are the Ontario Liquor Control Board, the Indigo bookstore chain, a service provider for five Ontario hospitals, and the Toronto Public Library. According to The Globe and Mail, the library still cannot borrow or return books. through your computer system.
Other victims of ransomware around the world include supercar maker Ferrari and MGM Resorts in Las Vegas.
A California law enforcement firm paid just over $1 million to a ransomware organization after its attack early last month. The Los Angeles Times reported that the San Bernardino County Sheriff’s Department and its insurance company were sharing costs so the branch could access its data. The branch had to shut down its email, car computers and a formula used by lawmakers for background checks.
Some gangs took pity beating the sick, probably to provoke public anger, as in hospitals. For example, earlier this year, ransomware team LockBit gave Toronto’s Hospital for Sick Children a decryption key so it could repair the encoded data.
However, others have discovered new methods of extorting money from victims. The AlphV/BlackCat gang created a company that mimicked an anonymous financial company that had been targeted and refused to pay. The message on the site: This company has been hacked and here is all your data.
According to risk researcher Brett Callow of Emsisoft, the Medusa gang created a 51-minute video of screenshots of data allegedly copied from the Minneapolis Public School formula to show the world that they had stolen data.
In September, I moderated a panel on ransomware at the Swift IT monetary messaging network’s annual SIBOS convention, where a panelist said ransomware is a crisis.
Law enforcement has had some successes against ransomware and other cybercriminals. At least some of the AlphV/BlackCat gang’s infrastructure has been demolished. (The gang says it will show no mercy to critical infrastructure in retaliation. )It also arrested the alleged leader of Breached Forums. The alleged perpetrators of the DoppelPaymer ransomware gang have been arrested. The RCMP and FBI dismantled the Genesis criminal market. European police have dismantled a gang that specializes in compromising business email scams. The Five Eyes intelligence cooperative worked to dismantle the Snake malware network, and the alleged developer of the gang, Ragnar Locker, was arrested in Paris.
BlackBerry CEO John Chen has left the Canadian company after a decade at the helm of the company. His efforts to turn what was once the leading maker of cellular devices into a leading cybersecurity company have failed.
Considering the challenges Chen faced when he arrived — the rise of Apple’s iPhone and the failure of the BB10 operating system to catch on, “he really has done a good job,” said Brian Jackson, a research director at InfoTech Research. But while Chen bought endpoint provider Cylance in 2019 to add to its mobile device management platform, Jackson said enterprises saw the company as a point solution. On the enterprise side, partnerships were needed, Jackson said. A promising 2018 deal with Amazon, Jackson added, “never got off the ground.” By contrast, he added, Chen forged many partnerships to sell its IoT portfolio, particularly to car manufacturers.
Huge victims of hacks included two American communications providers. T-Mobile had to notify 37 million customers of a data theft. Comcast Communications notified over 35 million of its subscribers of a data breach. On Oct. 10, it was notified that Citrix Netscaler Application Delivery Controllers needed to be patched, followed by more details on Oct. 23. Comcast acted. But not fast enough.
A Canadian supermarket chain said the total impact of the cyber attack it suffered could be over $54 million.
Canadian Prime Minister Justin Trudeau has shown that a Canadian pipeline has somehow been attacked by a Russian hacktivist. No important details have been provided. Meanwhile, Canadian energy manufacturer Suncor reported a cyberattack. Microsoft reported that a Chinese organization is targeting critical U. S. infrastructure. U. S. Microsoft also reported that a China-based venture actor was able to gain access to the cloud-based Microsoft email accounts of approximately 25 organizations. aggregating government agencies, as well as related customer accounts of Americans who could possibly be related to those organizations, by forging authentication tokens.
In one of the biggest creative attacks of the year, an anonymous criminal organization attempted to extort money from the prestigious cybersecurity trading firm Dragos. A new seller’s personal email address was compromised before they started trading on Dragos. This allowed the scammers to impersonate the new worker and log in online with the company. After failing to remove access privileges, the gang attempted to extort money from Dragos by threatening to reveal their successful penetration. When that failed, they sent messages to family members of Dragos’ leaders. Lesson from this incident: Increased identity verification is required for online onboarding of new staff.
Another imaginative attack: A Russian organization saw an ad from a Polish diplomat asking to sell a used BMW and took advantage of it to spread malware by cloning the ad and, to get clicks, claiming that the value had fallen.
Dressing someone in uniform (in this case, FedEX) will fool workers and allow a hacker to insert a USB drive into a computer.
Canadian privacy commissioners made several important rulings. Home Depot Canada was criticized for not getting customers’ consent before sharing details of customers’ e-receipts. But the federal privacy commissioner’s attempt to have Facebook take responsibility for the Canadian part of the Cambridge Analytica scandal under Canadian privacy law was rejected by a judge. That ruling is being appealed.
Looking ahead in 2024, keep an eye out for reports from the U. S. Securities and Exchange Commission. U. S. Securities and Exchange Commission on allegations that SolarWinds misled investors about its cybersecurity dangers and vulnerabilities similar to the compromise of its Orion software update mechanism in 2020; The Privacy Commissioner’s investigation into the theft of federal workers’ information from moving companies; and the Nova Scotia Privacy Commissioner’s investigation into the hack of Nova Scotia’s MOVEit.
Finally, those reading this story should be cheered that, at least according to one expert, an infosec pro has a job for life.
Our experienced team of journalists and bloggers brings you in-depth interviews, engaging videos, and content for IT professionals and industry leaders.