Published: March 12th, 2021
Welcome to Cyber Security Today. This is the Week In Review edition for the week ending Friday March 12th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll talk with this week’s guest contributor, Terry Cutler of Cyology Labs. But first a look at three of the top news items from the last seven days:
IT administrators continue patching their Microsoft Exchange Servers. It’s over a week since urgent updates were issued to cover four serious vulnerabilities called ProxyLogon. However, there’s evidence Exchange Server administrators are not working quickly: On Tuesday — a week after the first alert — Palo Alto Networks said web scans suggest 125,000 internet-connected Exchange servers around the world were still vulnerable, including 4,500 in Canada and 33,000 in the U.S.
UPDATE: After this podcast was recorded Palo Alto Networks issued new figures. The number of unpatched servers detected by its Expanse platform had dropped Thursday to 2,700 in Canada and 20,000 in the U.S.
One incident response firm here told me on Wednesday that it knows four Canadian organizations had been hacked shortly before Microsoft issued its patches.
Among the victim organizations is Norway’s parliamentary email system. Security researchers from ESET think as many as 10 threat groups are taking advantage of vulnerable Exchange servers.
Terry and I will talk about this crisis in a few minutes.
Verkada is a cloud-based provider of video security for organizations that says its systems are secure by default. However, this week it suffered a major system compromise. According to Bloomberg News, a group of anti-surveillance activists say they accessed and captured live feeds of video cameras in hundreds of companies, hospitals, police departments and schools.
The hackers told Bloomberg they were able to compromise Verkada after finding the username and password on the Internet of a super IT administrator who had wide access. In response Verkada disabled all internal administrator accounts.
In a statement Verkada said the attack targeted a server used by its support team to perform bulk maintenance operations on customer cameras, such as adjusting camera image settings upon customer request. In gaining access to that server the attackers obtained credentials that allowed them to bypass Verkada’s authorization system, including two-factor authentication.
International Women’s Day was marked on Monday with a number of events. One I covered was a virtual panel of women in senior cybersecurity positions at Microsoft, Palo Alto Networks and Cisco Systems. Among other things, they talked about the importance of getting teens and even pre-teen girls interested in technology if we want to increase the number of women in IT.
(The following is an edited version of my chat with Terry Cutler of Cyology Labs. To hear the full version play the podcast.)
Howard: First I want to talk about International Women’s Day. You and I were among the preliminary round judges for IT World Canada’s Top Women in Cybersecurity contest last year. Tell me about your impressions of the submissions.
Terry : I was actually really impressed. I didn’t know there were that many women in cybersecurity. I was happy to see the amount of nominations …It was actually pretty hard to judge, to be honest. Not only because of the sheer amount of people, it’s because not many of them post a lot of content, so it was hard to see who’s who, and who’s made the biggest impact in the industry.
Q: Do you think women are a little modest in talking about their achievements in cybersecurity?
Terry:I think they are because a lot of times they’re more criticized more harshly than men. The common feedback (I get from women) that they have to work twice as hard as men to prove themselves. So it’s harder for them to make an impact right out the gate.
Q: Over the years in your career, how have you seen women in cybersecurity treated?
Terry: Not equally, unfortunately, because it is more of a male-dominated field. When a women shows up at the table a lot of men are like, ‘Well, what could she possibly know about it?’ So right away, they’r not the same level. They have to work twice as hard as men to prove their point. (And) women think differently when they approach a problem. Here’s a real example: When we did a penetration test on a company we had a woman that was helping us … Myself and my colleague were sitting there scratching our heads about a certain problem that we’re trying to exploit. And all of a sudden out of nowhere, she comes and looks at it at a completely different angle, which allowed us to get in … Women actually compliment the men in, in various ways because they think differently to a problem.
Q: And that’s a great example of why IT teams, security, any team in an organization needs to be diverse.
How can men do more to support women in it and in cybersecurity in particular?
Terry: A couple of things. One, I think men can help women help build their personal brands. That was one of the things I noticed right away when I was doing the judging: They need to learn to be confident in front of a camera, share their knowledge so they can get up there with men. I’ll give you a perfect example. The late Shon Harris was one of the authors of the CISSP certification program. A lot of people didn’t even know that she was a female, when she was the dominant force in that certification. Men have to also not objectively look at females as less than equal. They need to give them a chance to speak their voice, share their experience, share their, their knowledge and share how they would attack a problem.
Q: Before I leave this topic, I want to remind listeners that September 1st is Women In Cyber day, and there’s a petition to have it recognized by Parliament. A link to that petition is in the text version of this podcast at ITWorldCanada.com. I’d also like to remind you that the eighth annual Women In Cybersecurity conference is scheduled to be held in Denver, starting September 8th.
Next, we’re going to look at the Microsoft Exchange Server vulnerabilities and the crisis that they’re causing. This, in my opinion, has the potential to be more serious than the SolarWinds breach. The Exchange incident could involve thousands of email servers. The attacks are ongoing, and the servers have contents that may or may or may not have been encrypted. Terry, have any organizations come to you for help since January with suspected exchange server compromises due to these vulnerabilities?
Terry: Absolutely. One came to us last week. It was a law firm and the administrators found one of the eight .ASPX files on their server. At this point it’s an active investigation, we don’t know what the hackers had access to. Could they have downloaded a lawyer’s mailboxes? What was taken? It’s going to be a PR nightmare because they have to disclose to their commission board what was taken.
One of the files that they found on their exchange server was a file called web dot ASPX. These were web shells that were left behind [by the attacker]. When these files are found, there’s, there’s a good chance that they were compromised. We found out that they got in on February 24th, and the Microsoft alert came out on March 2nd. So they’d been in there for an entire week.
Q: Certainly one thing in this incident that’s vital is patching won’t help if an attacker has already left a backdoor, or as you say, a web shell. You’ve also got to investigate for signs of compromise, such as the installation of unapproved web shells.
Terry: And that’s the hardest thing to uncover because a lot of these are what are called covert channels. They’re secure communications. So it’s very, very hard to see this in your firewall logs or your IPS systems, because the traffic is still using SSL traffic. So how do you know what’s happening here? You have to have other technology in place that allows for investigations of indicators of compromise. Is it normal that this computer is talking to that system every 13 minutes and four seconds and shares the same amount of information every single time? Well, that could be a beacon [to the attacker] for all we know. That’s why we have to sort through the traffic and see what machines have a back door installed that would allow hackers to get into their system. Another thing that happens, too, that most people don’t know, is a hacker might harden do on your behalf is actually harden your system because they don’t want other hackers coming in and destroying all their hard work.
Q: One thing that’s bothered me is it’s been over a week since Microsoft issued their patches but according to Palo Alto Networks their telemetry indicates tens of thousands of Exchange Server installations haven’t been patched yet. Why are IT administrators seemingly slow to patch? I mean, heaven only knows there’s been enough warnings.
Terry: I can talk about some of that from personal experience. I was an Exchange administrator at one point, and sometimes when you apply these updates it breaks other software and technologies on the system. For example, in one case, we had a homemade ticketing system that was running on SQL. And when we then did certain updates, it would break that system or, or it would prevent us from upgrading because we weren’t at a certain level of another software. So when they [vendors] go and do all these mass updates, they don’t know what it’s going to break. That’s why IT administrators are sometimes fearful to update these things. They’re already short-staffed as it is most of the time, they’re just trying to keep the lights on. The other issue too, is that some of these updates don’t come down automatically through Windows Update. You have to manually go and get them. So unless you’re constantly getting alerted that these new updates are coming out, you might not know that a patch was available.
… There’s always a debate on why are companies still running on-prem servers when they should be running on Office 365 in the cloud, which is far more secure. I think a lot of this is around mindset. Some companies, like law enforcement and such, want to keep their servers local because when it’s up in the cloud they don’t really know who’s got access to their system — maybe a rogue administrator in the backend can see their stuff — so they want to keep it in-house. But when they keep it in-house, now they have to maintain it.
Q: Finally, I want to take a look at the Verkada video camera breach. That’s the company where hackers got in and found access to video cameras that hundreds of companies around the world had set up and use Verkada a service. One of the things that caught my eye was the ability of the hackers to bypass the two-factor authentication once they got in. Can you tell us how important it is to properly set up two-factor or multifactor authentication?
Terry: Multi-factor authentication is key today. From what I’ve read about this story a super admin password was found on the internet … We need [also] to start implementing things like zero trust. Nobody is safe [on the corporate network]. And use multi-factor authentication everywhere. If you don’t have an in-house cybersecurity team, then work with a partner that can augment your security by looking at logs and correlating all this stuff, because right now hacking is out of control.
Q: Security experts are increasingly talking about zero trust architecture. Any sense how many organizations have implemented that strategy?
Terry: I’ve never met one yet. They’re trying. But what happens is that once they start on this project, they see how much effort it is on their users, who can’t get their work done in a timely fashion. They don’t want to enter their passwords multiple times a day. And then what happens is because it’s causing a business disruption, they move away from that project, unfortunately. Then they wonder why they get hit with ransomware.