Welcome to Cyber Security Today. From Toronto, this is the Week in Review for the week ending Friday May 27th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by Terry Cutler, head of Montreal’s Cyology Labs, to discuss some of the news from the past seven days. First, a roundup of highlights:
Once again ransomware was big in the news: Researchers said that for various reasons the Conti gang has decided to shut down its brand and instead work through affiliated gangs Terry and I will discuss if infosec pros should care.
Meanwhile a new extortion group called RansomHouse has emerged. According to one news site, it claims the Saskatchewan Liquor and Gaming Authority was a victim in December.
The latest annual Verizon Data Breach Investigation Report was released. The authoritative report, which analyzes information on cyber incidents and data breaches from a large number of cybersecurity companies, found ransomware incidents were up 13 per cent last year over 2020.
It also found mistakes by employees, partners and others were responsible for 14 per cent of all data breaches in 2021.
Terry and I will also look at a report that hackers found a way to open accounts on social media and other sites in a victim’s name with just their email address with the goal of stealing their personal information.
Clearview AI, which sells facial recognition software to police forces, has been under attack for a long time for copying billions of images of people off the internet to use for comparative purposes. It’s facing new problems: The United Kingdom’s privacy commissioner has fined the company the equivalent of over $9 million for using people’s faces without their consent. And it ordered Clearview to delete the images of UK residents from its databases. Clearview has also been fined by regulators in France, Italy and Australia. In Canada, Clearview is fighting an order by privacy commissioners here to delete the images of Canadians in its databases.
Finally, there’s more fallout from the Cambridge Analytica scandal. The now-defunct British firm acquired personal information about tens of millions of Facebook users from an app developer. The city of Washington, D.C., launched a lawsuit against Mark Zuckerberg, who heads Facebook’s parent company Meta. It alleges Facebook’s failure to tell users their personal information may be shared with third-party applications without their knowledge misled subscribers. In 2015 Facebook was fined $5 billion by the U.S. Federal Trade Commission over the incident.
(The following transcript has been edited for clarity)
Howard: Ransomware gangs often rebrand as law enforcement agencies crackdown on them. But this week came news that the Conti ransomware gang, known for attacking big companies and government departments, is retiring its brand to instead work closer with other gangs. What do you make of this news?
Terry Cutler: We’ve heard this before — a group retires, then they come out of retirement and they rebrand. I think what’s happening here is that there’s just way too much heat on them [Conti] and some of their members may be getting a little scared. Some are asking the group to like tone it down a little bit. That’s why I think they’re switching now to smaller groups. I think after they threatened the Costa Rican government that’s where they’d rather just work with other operators like Karakurt or BlackByte. Remember, it’s the Conti brand that’s shutting down. The actors are still there. They’re just shutting things down like the negotiation site, the chat rooms, the messenger servers and the proxy servers. That doesn’t mean that the threat actors themselves are retiring.
Howard: The research, which was done by a firm called Advanced Intel, argues that the recently and highly-publicized attack on government departments in Costa Rica has been used as a smokescreen for Conti’s strategy shift. In the past couple of weeks Conti has made us think that it’s trying to overthrow the government, but it’s really restructuring. What do you think?
Terry: I think that’s part of their great grand finale, to use this as a publicity stunt. This way they can perform their own death, and then maybe, a rebirth. We have to see what’s going to happen. But I also heard that things were a little bit toxic, too, because the group pledged their allegiance to Russia and was in favor of the invasion of Ukraine. Maybe that didn’t sit well with other members. That’s why there was some leakage of some private gang chat messages and logs.
Howard: That would appear true according to some interpretation. The leak was a bit of vindictiveness by someone regarding the Conti endorsement of the Russian invasion of Ukraine.
So for those of you who are keeping score, this report says Conti will focus on supporting data-stealing groups as Karakurt, BlackBasta and BlackByte, as well as ransomware groups called AlphaV/BlackCat, Hive, Hello Kitty and AvosLocker. So if I’m a cyber security leader at a company because Conti is doing this do I need to change my strategy in any way?
Terry: First I’d like to know who comes up with the names of these groups.
Your defences really come down to visibility [on the network]. The goal here is to shrink your attack surface as much as possible. We know there’s no silver bullet to stop a hacker, but you want to make it as difficult as possible for them to get in. A lot of companies right now don’t have the right tools or the automation in place, or maybe not even working with the right outsourced partner. So I don’t think they’re going to fare well in a cyberattack, because there’s so many ways for an attacker to get into your system. IT is dealing with phishing attacks, untrained users, stolen passwords, unpatched systems, they don’t have EDR [endpoint detection and response software] in place, there’s no network monitoring, no log management … The IT department has to deal with all these ways that attackers can get in. And on top of that IT people are not necessarily trained in cybersecurity or incident response and forensics. They need to team up with a cybersecurity expert or firm to keep an eye on their infrastructure.
Howard: Listeners may recall that a year ago an international group of researchers and vendors called the Ransomware Task Force issued a report, which in part called on governments to take more action to fight ransomware groups. Last Friday it issued a first-year report looking back at what was accomplished. Admittedly fighting cybercriminals in the digital era is no small task, but most researchers including the annual Verizon Data Breach Investigation report — which was released on Tuesday — agree that ransomware is only increasing. However, some governments and insurance agencies think it’s slowing down or at least stabilizing. This lack of consensus is a challenge, the Ransomware Task Force authors. Briefly, the Task Force believes that of its 48 recommendations there’s been tangible progress on 12, such as promises by a number of governments to work together to fight ransomware. Here’s an example: The U.S. said that it’s about to convene a joint [inter-department] ransomware task force which was mandated under a recently passed federal law. My question to you is, are governments doing enough — and in particular is Canada doing enough to fight ransomware?
Terry: Here’s the biggest challenge. It’s all around attribution — finding out where these people [threat actors] are, and as you know it’s really difficult to find out who’s behind these attacks because there’s so many ways to hide their tracks. And the moment they’ve uncovered one server there might be no logs on there or if there are logs the guy’s hidden another one. So eventually’s gonna be no logging. In some cases there’s going to be human error — maybe the [victim’s] backups weren’t done properly and there’s months of data missed. You’re faced with the challenge of do we pay to get our data back or do we not pay it and lose our data? … That’s a big challenge, especially with small businesses: If you don’t pay that ransom and you don’t have a proper backup that you’re going to go out of business. But when organizations don’t pay attackers lose their main revenue stream. That’s why they’re going to go after small medium small and medium businesses, and critical infrastructure providers … That’s why I think the focus now is going to be on helping organizations prepare and respond to these types of attacks.
Howard: Also this week, researchers at Cyberint released a report on a new extortion group called RansomHouse. It specializes in stealing data and then holding it for ransom. So it doesn’t bother with encrypting data. According to the Bleeping Computer news site, the Saskatchewan Liquor and Gaming Authority was one of its none victims. In December the authority acknowledged being hit by a cyber incident. That forced it to temporarily take IT systems offline. This is seemingly part of a new trend for threat groups to just forget about infecting a firm or government with ransomware — just steal the data and hold it for ransom.
Terry: Again, it all comes down to no [network] visibility inside these organizations … There’s a tactic that I tried a couple of years ago where you could do some advanced Google searches to see if customers’ data leaked because they were misconfiguring their database backups. And it was actually copying the data to another server, but it was unlocked. So we would try and contact these customers and say, ‘Your data is is visible. How about we come in and do a cyber audit to help lock you down.’ And we would be accused of being the hackers trying to extort them. That’s why it’s very difficult to try and help organizations take cyber security seriously.
Howard: Companies shouldn’t feel they’re defenseless. They actually have quite a bit of control over their defenses.
Terry: One of the things they need to do is a cybersecurity audit, especially if they haven’t had a penetration test done in a long time — and a penetration test is essentially what hackers are doing. They’re giving you a free penetration test — but if you fail you just lost your data. The difference with us on the ethical hacker side is that we’re going to provide you a report that shows you all the vulnerabilities. And it’s going to cost far less to get a proper audit done than having your data ransomed.
Howard: The last story that I want to look at was an interesting report about crooks tricking people into getting social media and other accounts that they didn’t know they had.
Terry: Cybersecurity researchers were able to reveal that hackers can actually hijack your online account before you even register them. They did this by exploiting a flaw that’s now been fixed in most popular websites like Instagram, Linkedin, WordPress, and Dropbox. It’s called a pre-hijacking attack. The hacker needs to know your email address. They can find this out either by email correspondence or through data breaches. The attacker then creates an account on a vulnerable site. The site sends confirmation emails to you. The hope is you get annoyed by this email and confirm or create the account. If you do either you use the password the attacker set up. If you ask for a password reset the hacker sees that, too. The problem is there’s a lack of strict verification of email registrations. The best way to deal with this is that once you’ve registered your account immediately activate two-step verification.
Howard: So this is another form of what’s broadly called a social engineering attack. The crooks are betting that you’re going to get tired of being pestered by a notification about an account you didn’t know you had and so you’ll ask for a password reset. But one way or another the crook still has access, so eventually they’re going to start to get personal information about you. This is especially dangerous if what they do is they get hold of your Linkedin account. There’s a number of techniques that the crooks can use so I’ve simplified it. Isn’t this a major failure of websites and their process management?
Terry: It’s a registration process. Sites want to make it as simple as possible for users to be on-boarded, because if it’s complex either they won’t subscribe or they’re going to start emailing the support hotline. But it’s up to sites and people to secure their accounts. Cybersecurity is everyone’s responsibility. Multifactor authentication is one of the biggest keys to stopping these breaches and people are still not using it.