Welcome to Cyber Security Today. From Toronto, this is the Week in Review edition for the week ending April 15th, 2022, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. Thanks for tuning in on what is a long weekend in many countries.
In a few minutes guest commentator Terry Cutler, head of Montreal’s Cyology Labs, will join me to discuss some of what happened in the last seven days. But first a roundup some of the week’s headlines:
The annual Identity Management Day to raise awareness of this important security control was held earlier this week. Terry will weigh in with his thoughts of where IT leaders are going wrong with their identity and access management programs.
We’ll also take a look at last week’s news that FBI took out a botnet composed of compromised WatchGuard firewalls. There are two questions: Was it right for a U.S. court to give the FBI permission to remotely defang devices without the permission of user organizations? And did WatchGuard customers have enough notice that a security update needed to be installed?
And we’ll also delve into a report about how undetected threat actors spent five months roaming around a U.S. government agency’s IT network before deploying ransomware. Why weren’t they detected and what lessons can be learned?
Elsewhere, U.S. intelligence agencies warned companies using network-connected industrial control systems that advanced hacking groups have a new malware toolkit aimed at them. Companies — especially energy providers — are urged to install detection and mitigation procedures.
Microsoft said it took down the ZLoader botnet of infected computing devices. The botnet was rented out as a malware-as-a-service delivery platform to distribute ransomware. However, Microsoft expects the ZLoader operators to try to revive the botnet.
More botnet news: Researchers at Fortinet found a new botnet that can be used for denial of service attacks. It’s called Enemybot, and is believed to have been created by the Keksec threat group. It leverages routers with easily cracked or stolen passwords.
Developers using the Spring Framework for creating Java apps were reminded of the need to patch the suite fast. That’s because unpatched versions can be hijacked by the Mirai botnet.
IT departments using the AWS Lambda computing platform were warned to watch for malware that can install crypto-mining apps.
Panasonic acknowledged its Canadian division suffered a cyber attack. The Conti ransomware gang is taking credit.
And the U.S. and Europol announced the seizure of the dark website called RaidForums, where stolen data was bought and sold. The U.S. also unsealed six criminal charges laid against the site’s founder and chief administrator and is trying to extradite him from Britain.
(The following transcript has been edited for clarity)
Howard: As I said earlier, Identity Management Day was held this week. It’s sponsored by companies that sell identity and access management security solutions as a way to remind IT leaders of the importance of this security control. First, what does identity management include?
Terry Cutler: I’m going to go high-level for this. It’s basically technology that would allow you to give privileged access to your employees to log into systems as quickly as possible and as easy as possible. While the logging is happening, or while two-factor authentication is happening it provides the user secure access to services that they typically would have access to. I’ll give you an example: This is dating myself now. I used to be a premium support engineer for Novell. And one of the technologies we had there was identity and access management. We had a concept there called Zero Day Start and Zero Day Stop because we were seeing a lot of issues where people would start with a company but when they left the company their accounts still stayed open. Or they had bad passwords or issues where the employee needed access to another system, which required another team to change their account. And then they [admins] would forget about it. So, Zero they stop, Zero they start. It would create my account in e-directory, then it would synchronize the Active Directory and keep my account there and create an extension in the phone system, go into the process management system to order my cell phone., set me up in the billing system — and in the moment I leave all those accounts get closed in one shot. Then management gets a notification that you know I’m now disabled and the system is secure That’s required today.
Howard: So Identity management is the managing of whatever kind of identity control is used at the company — whether it’s password, multifactor authentication, biometrics — managing that from the onboarding of a new employee, as he shifts from job to job within a company so that access to certain assets or databases changes to when the employee leaves and the deletion of his access.
Terry: That’s right. This reminds me of a report. Two doctors were married and then divorced. One of them worked at a hospital where the other one was a patient. That doctor accessed the medical records when they weren’t supposed. That was flagged and senior management received an alert. This technology is all there.
Howard: And identity management also includes access management which is you can access this particular database or you can’t access that particular database/
Terry: There’s even another part that’s available called user activity or behaviour monitoring. So if one person always logs in from Montreal and if the account is being taken over by somebody else in another location the system will pick that up and based on policies will either deactivate the account or send an alert.
Howard: According to a number of surveys many data breaches have identity-related elements such as taking advantage of stolen or easily cracked passwords. Is this a user or an IT department problem?
Terry: I believe this is everyone’s responsibility. It all comes down to passwords being reused or not created correctly — they’re very weak. And people use their corporate password
Then passwords leak from a data breach. They use the same password everywhere online. So If let’s say a real estate company gets hacked and they use the same password on their corporate email account password and their personal email. Now they’ve caused a possible email business compromise. Multifactor authentication may be enabled but is not properly implemented properly. That’s a common comment I get from a lot of businesses — MFA is installed, but just for senior management. And then there’s the problem of login accounts staying open after employees left.
Howard: You mentioned multifactor authentication. Security experts say repeatedly that multifactor authentication is one of the most important things a company can add to its identity and access management controls. It certainly greatly lowers the risk of a third party being able to break into a company merely by by knowing a username and password. What does it take to implement MFA properly?
Terry: A common comment I get from a lot of businesses is that implementing 2FA is difficult. And that it hinders productivity for the users because a lot of them are technologically challenged. They don’t want to enter a two-step verification every single time they log in. They have to understand that security is not about convenience. There is [authentication] technology available such as [Cisco] Duo, for example, that allows them to implement 2FA correctly and easily. It really comes down to awareness training for the user of the importance of using MFA. If they understand that — the importance of security — they’re going to be able to take this information to their home as well and protect their home email accounts with 2FA as well.
Howard: And the thing about multifactor authentication is it’s not merely adding the technology. You’ve also got to have business processes to make sure that hackers can’t get around the technology. The most common example is the hacker calls up the IT support team and says, ‘I’m having trouble logging in. Can you change the phone number where the [2FA] code goes to?’ And so the third-factor code that you need for logging in goes to the hacker’s phone. Or if it’s a bring-your-own-device corporation and it’s a telecom carrier that has the phone then what the hacker does is sing a sob story and convince the cellphone provider that they need to change the phone number of the victim. There’s another common place where companies make mistakes with multifactor authentication: They use SMS texts for the vehicle through which the code goes, instead of signing up for, as you said, Cisco Systems’ Duo or Microsoft Authenticator or Google Authenticator.
Terry: And that’s the challenge. There are so many moving parts that unless you’re a specialist in these things to look out for it’s going to be really challenging for IT to implement this. That’s why they need to team up with someone in cybersecurity or maybe work with a managed service provider to help with MFA.
Howard: Looking back at your work with companies over your career, what are IT leaders doing wrong in identity management?
Terry: I think the biggest challenge was that a lot of companies tried to do it themselves instead of hiring specialized consultants. A lot of times consultants see things that the business owners or business management team wouldn’t think about. so they often misconfigure these systems and they can also leave it open to attacks. Usually the vendor provides a consultant.
Howard: Identity management also falls into creating a zero trust environment. Can you talk about that?
Terry: It’s very important that we maintain the management of access to make sure there’s proper logging in place and of course a two-step verification. We’re seeing more zero trust methods where we’re moving away from passwords. We’re going to see users that are cryptographically bound to their device so it’ll have their digital signature there, so IT knows which machines those trying to access the network are coming from. They’re also making sure that the endpoint or the device that they’re logging in from complies to their policies. And then there’s going to be some cryptographic stuff happening on the device to make sure the right keys are being used to allow them to log into to the system.
Howard: Is good identity management expensive?
Terry: It can be, but it’s nowhere near as expensive as a data breach. If we look back when IDM first started coming out we just had to worry about network-based security and that the architecture had to work together. Um. It was very, very expensive at the time. Today we have to worry about data in the cloud. So the security boundaries are very, very difficult — can this user log in through the firewall to access the services? We also need to start implementing Ai to start learning user behavior.
Howard: Everybody loves lists. What are the steps to creating a mature identity and access management strategy?
Terry: We mentioned zero trust. That’s the goal. But to implement a zero-trust, personally I think it’s extremely difficult to get there because you need to have the proper staff in place to be able to monitor all these moving parts. One, obviously is multifactor authentication. You also need a list of all of your privileged accounts — and you to avoid having as many privileged accounts as possible. You want to have a strong password policy. You want to have a proper onboarding strategy for when an employee starts on day one — what does he have access to? What does he not have access to? You want to track the access through his career. You want to make sure access meets regulatory compliance. You want to make sure all the access logging is capable. Ideally, you want to move away from passwords.
Howard: Let’s move on to the report of the FBI using a U.S. court order to disinfect a botnet of compromised WatchGuard firewalls. Earlier this year WatchGuard warned network administrators to patch the devices because they were being compromised to create a botnet dubbed Cyclops Blink. It’s thought that the Russian-based Sandworm gang is behind this. However, by March over half of the devices remained infected. So according to the Ars Technica news site, The FBI got a court order allowing it to remotely access infected WatchGuard devices connected to 13 U.S.-based IP addresses being used for command and control. As a result of the FBI disinfecting these devices all of the thousands of other infected devices around the world were severed from the bonnet. But it was also reported that WatchGuard knew months before this and patched the vulnerability. It was only told last November that the vulnerability was being used at a botnet but it couldn’t report that until February because the FBI was investigating. So this incident raises two questions. First is it dangerous for law enforcement to get a court order to get into devices without the owners’ knowledge if the goal is cybersecurity?
Terry: That’s an interesting question, and also an interesting story. I’m thinking that the botnet or the infected firewall was basically tied to possibly critical infrastructure. They [the FBI] probably saw in the logs and realized if we deactivate these 13 machines we’ll shut down pretty much the majority of the botnet infrastructure. So they worked with WatchGuard, signed into these machines and were able to confirm the presence of the malware. They took asset management of the box, and they copied that list to other infected Cyclops Blink devices. Then they were able to disinfect those machines and closed the internet-facing ports of those devices so that Sandworm wouldn’t be able to remotely access them anymore.
Howard: The news story said that the court order made sure to specify that the FBI didn’t leave any artifacts, didn’t leave a backdoor on the devices that it got into. But some security people would say this is a really dangerous precedent. Maybe the proper thing to have done was to get in touch with the owners of these devices and tell them they have to act fast.
Terry: It’s a slippy road. They looked at the benefits versus the disadvantages. Obviously you’re going to be helping up the business to protect their environment, but at the same time are they gonna do this for everyone? In this case to do 13 machines they had the biggest bang for their buck in shutting down that botnet.
Howard: The second thing about this is were companies hurt by not being notified by WatchGuard early enough? WatchGuard knew I think in the middle of last year that there was a vulnerability and they put out a patch. In November the FBI said [to WachGuard] this vulnerability is being exploited in a botnet. But apparently Watchguard couldn’t tell its customers that because the FBI was still investigating. So customers really didn’t find out about this until either January or February. Is that acceptable?
Terry: Yes and no. Companies could have avoided being hacked during that time. But at the same time it takes a while [for police] to Investigate what’s really going on. They don’t want to shut down the system and alert the bad guys. They want the bad guys to make a mistake so they can track back who’s behind this. So it’s a double-edged sword. There’s also the problem of attacker attribution. There’s over 10 ways to hide your tracks. That’s what takes the longest part of an investigation.
Howard: The final story that I want to look at is a report from Sophos about a ransomware attack on what’s been described as a regional U.S. government agency. Two, or more, threat groups spent five months undetected on the IT network of this agency before one launched the Lockbit ransomware. The initial compromise was through open remote desktop protocol ports on a firewall that was configured to provide public access to a server. And bad luck for the agency, the computer user account that they broke into had domain administration permissions. What a lucky break. So so the attackers could create admin-level accounts on other servers and desktops. And then once they had that access things went downhill from there. First, what struck me was the attacker the attackers spent five months on the network undetected. What struck you about reading this report?
Terry: For years we’ve said the average attackers hide in your system for at least 283 days. and this is a perfect example of why you need to have technology that can monitor your endpoints, your network and your cloud infrastructure 24 by 7. When we offer this service to our clients we ask, ‘What do you standardize on?’ They’ll say RDP is our standard [for employee remote access]. Then during a scan we’ll see that they have AnyDesk installed. In this case the IT technicians made a critical mistake and disabled defensive features that would have stopped this attack. When the attackers got in and they disabled the endpoint protection on the servers and some of the desktops. Then they were able to install other technology and have a back door into the environment.
Howard: Interestingly, the report suggests that the attackers initially weren’t prepared to exploit their access. The hackers clumsily pulled together a selection of attack tools. Not only that the attackers didn’t seem to be working on American holidays, which is when IT teams would be relaxing.
Terry: That’s a perfect example of when guys are hiding in your system for months or years nobody’s going to know about them until they make a mistake.
Howard: And then after five months something changed: One attacker — and it isn’t known if it was the original group or whether the group hired someone who knew what they were doing or whether it was a new attacker who was able to realize that this organization had been exploited — installed the Minicatz password sniffing tool so they could harvest usernames and passwords. Sophos’ software saw that — because its software was being used by this particular agency — and it cleaned the first attempt at infection. But the IT department didn’t take that as a clue that there was something wrong. So the attacker was able to come back and on the second attempt installed Mimicatz and began collecting user passwords. And then finally the IT department clued in that there was something going on here and they acted. And there was this back and forth fight with the attackers for about 10 days, which culminated by the deployment on some devices some computers of ransomware. Terry, what were the mistakes made by this agency’s IT teams?
Terry: IT guys are not cybersecurity folks. They have a big job making sure systems are up and running and maintained as much as possible. But at the same time these guys are receiving hundreds of daily [software security] alerts, and a lot of them are false positives. They’re usually overworked and possibly under-trained. A lot of times they ignore the errors, they’re not trained in incident response. When we look at tools like Mimicatz, that’s a tool we often use in our penetration testing jobs. It’s a fantastic tool. I can pull down all of the user accounts and associated passwords on a server. If I gained access to the receptionist’s computer and the IT guy signed in at one point, I’ll actually be able to extract his password from that. I can do what’s called a pass the hash attack where I’ll be able to log into as many servers as possible without ever knowing the guy’s actual password. A year and a half ago we had a case where a customer was running endpoint detection and response technology but because the password hash leaked onto the dark web an attacker was able to sign in. and disable half of the EDR technology. You need to have [defensive] technologies in place.
Howard. By coincidence we can circle back all the way to identity management because one of the best ways in which you can fight something like Mimicatz credential-stealing tool is having multifactor authentication.
Terry: Absolutely. Identity access management is going to be key going forward because you need the automation it offers. It’s way too difficult right now to secure environments because there’s so much stuff flying at us right now– so many alerts, so many so much logging, so many ways for attackers to get in. You’ve got to protect the crown Jewels as much as possible. Identity and access management is definitely a tool that businesses are going to use.