Welcome to Cyber Security Today. This is the Week in Review edition for the week ending March 4th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by David Shipley, CEO of Beauceron Security. But first a look at some of the headlines from the past seven days:
Ukraine is not only dominating political news, but the cyber new as well because of cyberattacks. There was a massive attack on Ukrainian universities that coincided with Russia’s invasion, says WordFence, which sells security solutions to protect WordPress. The attack resulted in at least 30 compromised Ukrainian university websites. Microsoft said several hours before the invasion it detected a new round of offensive and destructive cyberattacks against Ukraine’s digital infrastructure. ESET found two pieces of wiper malware sent to computers in Ukraine.
On the other hand after the Conti ransomware group announced support for Russia, a Ukrainian researcher struck back. They broke into the Conti’s files and leaked messages between gang members, as well as the source for their ransomware and their operational administrative panels.
David and I will talk about cyberwar and the possibility it will hit other countries.
Meanwhile Eugene Kapsersky, the head of the Russian-based cybersecurity provider that bears his name, is being criticized for the way he urged negotiations to resolve what he called “the current situation.” Should he – could he — have used the word “invasion?” Was he afraid Vladimir Putin would have slapped his company? David and I will talk about this as well.
There were big data breaches revealed in the past seven days: Tire maker Bridgestone had to send some workers home and disconnect some of its IT systems from the internet due to what was called a potential IT incident. Toyota was forced to shut production at 14 plants in Japan after a cyberattack on a parts supplier. International insurance broker Aon said a cyber incident impacted what it called “a limited number of systems.” Video surveillance systems maker Axis Communications admitted someone was able to use social engineering to get around multifactor authentication login protection and hack into the company. And the Lapsus$ hacking gang stole proprietary product data from graphics card maker Nvidia and is reportedly demanding the company take power restrictions off some of its processors or it will leak the data.
(The following transcript has been edited for clarity. To hear the full conversation play the podcast, which was recorded on Thursday, March 3rd)
Howard: Let’s start today with Ukraine. It wasn’t unexpected that Russia or Russian-based or sympathetic threat actors might engage in cyberwar. Experts say Russia briefly knocked out power in Ukraine in 2015 and 2016, it’s of course well known that it launched cyber espionage attacks against the U.S. for years and is accused of interfering in the 16 U.S. Presidential election through hacks and misinformation. So to no one’s surprise cyber attacks are increasing in Ukraine. There were crippling attacks just before Russian troops invaded last month. Researchers at Microsoft and ESET found a new data wiping malware in some systems in Ukraine. Microsoft calls it FoxBlade, ESET calls it HermeticWiper. David, what are your thoughts?
David Shipley: It was entirely expected that we would see an amp up in the days prior to the increased incursion into Ukraine. The Russians had used denial of service attacks against government websites, banking and others. They of course continue to use disinformation and social media to try and amplify their narrative around their twisted logic for the invasion. And then, of course, HermeticWiper is the exact same playbook that we saw with NotPetya, which tries to look like ransomware but what it actually does is destroy the master boot record on Windows devices rendering them inoperable.
So far, according to Microsoft and others, several hundred computer systems in government, IT companies and the financial sector have been infected. It did include a worm component but it looks like that did not catch as on as much as what we saw with NotPetya — thankfully — but this is part of the tools of the trade. One of the things that that I’ve been surprised at is that we haven’t seen broader use of cyber as a weapon against telecommunications networks and news networks. They did not go down in the early days of this invasion, and there is some speculation that Russia’s military communications infrastructure is so poor that they’ve actually been trying to use the mobile infrastructure the mobile data and cellular infrastructure in Ukraine to help co-ordinate their attack. That’s prompting Ukrainian telecommunications providers to block Russian phone numbers. So it’s been interesting. It’s not been as severe as we were expecting, and that highlights what some experts believe: cyber is best used in the period before actual armed conflict, and that once armed conflict starts its relative utility declines dramatically after that.
Howard: New York Times reporter David Sanger wrote a book about nation states’ use of cyber a couple of years ago and he titled it, ‘The Perfect Weapon,’ and that’s his thesis: that that cyber really is for nations a perfect weapon. In the book he details a long history of cyberattacks. Perhaps listeners might be most familiar with the Stuxnet worm that broke nuclear centrifuges in Iran and has been attributed to Israel and the United States teaming up.
David: The challenge with these government-developed hacking tools is what happens when they go off-script. We saw that with Stuxnet – there were infections that happened outside of Iran. That’s how we started to learn about Stuxnet. And we’ve seen lots of uses of destructive malware by countries. North Korea used destructive malware in several attacks in the 2010s against South Korea in order to cripple their TV stations and banking as a retaliation. So you know there’s a long history. Microsoft president Brad Smith has pointed out that these cyber weapons are big concerns when it comes to things like the Geneva Conventions and if they take out a hospital if that’s a violation of the laws of armed conflict.
Howard: The thing is while an attacker may try to tailor a cyber weapon against a particular company or against a particular country or company, this is computing mistakes happen. And the obvious example is the NotPetya wiperware in 2017 that was aimed again at Ukraine. The vehicle was compromised Ukrainian tax software and while the attack may have been intended only to compromise computers in Ukraine, it spread around the world because computers are interconnected. That kind of unintentional spread of cyber warfare may happen as a result of the current Russia-Ukraine war.
David: And that’s probably the most likely cyber risk that we face in the Western world outside of Europe: the unintentional spread. I do not believe at this time that the Russian government is honestly considering massive DDoS attacks against Canadian or American banking firms or attacks against critical infrastructure because the Americans have already come out and said they’ll treat cyber as potentially worthy of a response kinetically — that is with actual physical violence. And Putin kind of skipped cyber on his threats to the West as things escalated in Ukraine by jumping right to ‘Remember we have nuclear weapons’ and escalating the posture of his security forces.
What’s interesting is WannaCry was built on hacking tools that the Americans lost and that’s what brought down hundreds of hospitals in the United Kingdom. So one of the big concerns, if we get through this current crisis in Europe in this new cold war, is what are the rules going to be when countries develop or find vulnerabilities in key software and try and weaponize that? What are the consequences on countries when that goes sideways?
Howard: There are cyber experts who worry that Russia or Russian-backed cyber groups are going to start attacking critical infrastructure in countries that support sanctions against Russia. One argument is that as this war goes on the risk of that increases as the Russian people start to feel the impact of sanctions.
David: I think it’s likely that any kind of attacks will be through proxy groups like cybercriminal gangs that have been operating within impunity in Russia for years. It gives the Russian government plausible deniability – ‘Hey, it’s not us. It’s these criminal gangs. By the way, we were co-operating with you in January. We were arresting the gangs. But now you’ve been hostile to us. You’ve put these evil sanctions on us and we’re not going to go after these folks.’ Maybe they were so co-operative before the invasion was to show ‘If you’re nice to us we can continue to rein these groups in. If you’re not nice to us we’re going to let them loose.’ Given the currency crunch that’s going to happen over the next couple weeks in Russia, being able to leverage ransomware attacks to hit organizations and generate funding could significantly help. This is North Korea’s playbook. All of their ransomware attacks and all of their attacks on cryptocurrency exchange has been a need for U.S. dollars to fund its missile program. Russia will face the same pressures. This is why cryptocurrency exchanges — which have had a very bad start to this year where several hundred million dollars in assets were stolen from them –are going to be under incredible pressure as well from these criminal groups.
Howard: You mentioned earlier the international rules of the road on cyber attacks. The United Nations just started a three-year discussion about cybercrime, what countries can do and whether there can be an international treaty. One wonders whether this international tension between Russia and many other countries is going to spill over on the U.N. negotiations and whether Russia will be more obstinate in those discussions or more compromising.
David: I expect Russia’s willingness to play on the international laws-based order is going to be pretty low considering their invasion and then the subsequent consequences which they appear to be surprised at. We have the Budapest Convention on international legal co-operation. About 40 countries around the world signed on to it. It’s a good start, and we’ve certainly seen benefits from police co-operation. Prior to the invasion of Ukraine the co-operation between their police service, the FBI and other global services was putting a real dent in some of the affiliates and the cybercrime gangs operating in eastern Europe. Meaningful International approach is going to be even harder to actually muster because they [Russia] is going to have to set down these amazing capabilities that they’ve been investing in and I don’t think they’re gonna blink on that I don’t think the Americans would even blink either.
Howard: And then there’s the other side of this conflict: The Conti ransomware gang endorsed the Russian attack and for that it may have been dealt a crippling blow. Because someone retaliated by hacking the gang and releasing some of its internal messages and the source code for its ransomware. Has the gang been hurt?
David: The gang has been devastated. Does that mean that they can’t come back? No. These cats are the cockroaches of the cyber world. They just keep on coming and re-brand themselves. But it has been an absolute treasure trove for threat intelligence, for law enforcement. We don’t know what’s been sent to law enforcement separate from what we’ve seen posted publicly from the Conti hack. I’ve certainly enjoyed the leaked conversation. some of the highlights for me are some of the bitcoin addresses that have been published. Some research seems to show that Conti may have made as much as $2.7 billion worth of crypto since 2017, which is stunning. The other thing that was a really juicy tidbit in their chat — and again, I don’t know if this is true — they mention they have a friendly journalist who is willing to work with them to add extra pressure on a target for a five per cent cut of the ransomware.
One other thing from the chats I thought was really interesting was something you and I have talked about in the past, which is the role of cyber insurance. The Conti chats confirm they look for potential victims with cyber insurance and they prioritize their targets by who had a good cyber insurance policy.
Howard: There’s another angle to this war: It may impact the ability of countries to make semiconductors.
David: Ukraine produces up to 50 per cent of the neon gas the world requires for the lasers that do all the microchip etching that we rely on. Apparently the gas that they produce is a byproduct of Russian steel production. So this whole global integrated supply chain nightmare just keeps finding new ways to scare us.
Howard: Before moving past Ukraine I also want to talk about Eugene Kaspersky. On Monday he tweeted this: “We welcome the start of negotiations to resolve the current situation in you in Ukraine. And hope that they will lead to a cessation of hostilities and a compromise we believe that peaceful dialogue is the only possible instrument for resolving conflicts war isn’t good for anyone and he and he also said like the rest of the world. We’re in shock regarding the recent events. He also said, “Like the rest of the world we’re in shock regarding the recent events. The main thing that we can do in this situation is provide uninterrupted functioning of our products,” meaning Kaspersky products and services. Critics quickly complained that he didn’t use the word Invasion. He called it a “situation.” Should he have used that word? Or did he go as far as he could under the circumstances?
David: I think Eugene is damned if he does damned if he doesn’t in this situation. Kaspersky’s had a rough decade when it comes to folks’ perceptions of Russia and U.S. government suspicions around its relationship with Kaspersky. In some cases saying nothing might be your best strategy. I don’t know what the PR advice was to get in the middle of this. But if you are going to talk publicly about it, it’s probably good to be honest — it’s an invasion. It’s an illegal invasion. He probably didn’t say it because he wants to protect his company and his staff members who are in Russia. I get it totally, understand that. But if you can’t call it like it is you just lose credibility all over the place. I don’t think he could have gone as far as that under the circumstances because he likely is very much worried that his company and his team members might suffer consequences. If that’s the case, the tweet should have been, ‘This is a situation we can’t comment on.’ Or just say nothing.
Howard: Let’s move on to the Sophos report on the hacking of a Canadian Healthcare care provider last year. Two ransomware groups separately broke into the company by exploiting the ProxyShell vulnerabilities in Microsoft Exchange Server. The first group broke in in August, 2021. The thing is several months before Microsoft had issued patches on this to close those vulnerabilities. Isn’t this another example of a failure to patch biting a company?
David: Absolutely. We saw this absolute barrage of attacks against the 400,000 internet-facing Microsoft Exchange servers [when news of an exploit was revealed.] And you know, healthcare iin Canada is ridiculously under-resourced. Governments and healthcare authorities want to spend on frontline healthcare workers and services. But IT is the force multiplier for healthcare. It’s 90 per cent of [a provider’s] ability and their efficiency. So we’ve under-resourced in this area. This is yet another Canadian healthcare story … What’s really interesting is the behaviour of the two gangs. One, called Karma apparently has some kind of scruples. They realize it’s a healthcare organization. So they don’t ransom it. They don’t encrypt the files. They don’t cripple the digital imaging. They only steal the highly sensitive information patient information and attempt to do extortion. And then rolls in Conti and it’s like, ‘We’re gonna encrypt everything.’ I think this is one of the first times I’ve seen a multi-party attack inside a single organization.
Howard: And it wasn’t just the lack of patching. Failure to adequately protect the employees’ login credentials allowed both attackers to compromise accounts and elevate privileges so they could worm further into the company.
David: It’s interesting. The security advice is always pretty typical — multifactor authentication, antivirus, all these different security controls that are perfectly fine in a traditional corporate environment. But when you look at healthcare you get into some really interesting ethical and technological and business process challenges. If adding MFA slows down the nurses at nursing stations when they do shift changes or to log into things, all of a sudden critical minutes or information is unavailable when a patient really needs it. There’s these really interesting unique pressures on healthcare where just throwing security solutions isn’t always the right answer. In fact, there was an interesting study in the United States that showed after a ransomware attack against a U.S. hospital when they put the security they actually slowed down response times for heart attacks inside the hospital. So hospitals are in a tough bind: They have to step up IT security but they have to find ways of minimizing impacts on healthcare delivery.
Howard: One problem in this attack was there was no malware protection on servers. Usually — hopefully — there’s malware protection on desktops. But there was no malware protection on the servers that could have helped block this attack. Is that what you’re finding when you talk to to other organizations?
David: Yes. I’m not surprised about that, particularly in health care. They often do the bare minimum. They don’t have the teams or the budget to get the more advanced tooling that we see in finance or telecom. And even if they did have malware protection on the servers do they have the right alerting to have people act on it? Do they have the network visibility to see lateral movement? Most of them don’t even come close some of those capabilities require. You to have a security operations center. But small and mid-size hospitals and even some hospital networks in Canada don’t have any of those things in place. That speaks to just how under-invested they are in IT.
Howard: Before I leave this I want to come sort of in a way full circle back to Ukraine because I was listening to a webinar yesterday by the SANS Institute on quick ways to prevent cyber attacks from nation-states. And the number one way was patching. Patch strategically but patch fast. There’s a link to that story here.
The final story I want to touch on is the alleged attempt to extort money from graphics card maker Nvidia. It was hit by the Lapsus$ gang that apparently stole some source code. Nvidia has crippled the processing power of some of its lower-end graphics cards so they can’t be used for cryptomining. The hackers are reportedly threatening to release the stolen confidential code from Nvidia unless those restrictions are dropped.
David: This is a fascinating case because reportedly Nvidia tried to hack back. They got into the gang’s system and encrypted the data that was stolen. Unfortunately for Nvidia, it appears that the Lapsus$ gang follows cybersecurity best practices and they have really good backups. It also highlights the pressure that Nvidia and others are are feeling when it comes to cryptomining. There are a lot of gamers out there who are pretty frustrated that they haven’t been able to buy the latest and greatest video cards because this stuff just gets get scooped up for these massive cryptomining farms. Nvidia was trying to strike a balance and keep its customer base happy, and then walked into a rather interesting attack.
Howard: It’s also another example of how stealing sensitive corporate data — and in this case source code for the software that runs products — can be used by a hacker in an attempt to extort money.
David: In some ways the cybercriminal market for personally identifiable information usernames and passwords and that sort of stuff is at rock bottom because there’s so much stolen information like that out there already. Personal health information still has a high cachet, but corporate information and sensitive information are key [for crooks]. Look at the damage that was done to Sony by the Lazarus group in North Korea when they grabbed all their emails and slowly leaked them, embarrassing the company. Companies don’t realize now that that sensitive data is not only PII. It’s your business secrets.