Welcome to Cyber Security Today. This is the Week in Review edition for the week ending June 18th. From my studio in Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by Terry Cutler, the head of Montreal’s Cyology Labs, to discuss some of the headlines from the past seven days. But first a quick review of what happened:
It’s been a bad week for ransomware gangs. Police in Ukraine arrested six people they say were involved in the Clop ransomware gang. It isn’t clear if they were developers or merely affiliates, but news reports say the web site the gang uses to leak stolen data was still online. That suggests authorities haven’t been able to close the gang’s infrastructure. Meanwhile the Avaddon ransomware gang has apparently given up because it released all of its decryption keys. Those keys can now be used by security companies to create decryptors to unscramble data of Avaddon corporate victims.
There was other bad news for crooks. The police co-operative Interpol helped oversee authorities from 92 countries seize numerous websites and online marketplaces selling counterfeit and illicit health products. These include fake drugs and COVID-19 tests. The raids conducted last month were the latest in a series that started in 2008. Over those years a total of 82,000 websites have been shut and 3,000 people arrested. But organized criminal groups behind illicit drugs keep going.
A U.S. jury in Connecticut convicted a Russian national for operating a crypting service for crooks to conceal malware from being detected by antivirus software. The accused provided the operator of a botnet with a custom high-volume crypting service. That botnet was used by other criminal cyber gangs for distributing malware and ransomware. The 41-year old man, who was arrested in Spain in 2017 and extradited to the U.S., will be sentenced in September.
Another misconfigured corporate database figured in this week’s news. On Thursday we learned a researcher had discovered a huge unprotected online database with metadata such as queries for medications belonging to pharmaceutical giant CVS Health. The worry is in the wrong hands that data might be matched to customers. That misconfigured database with 1 billion records was hosted by a third-party partner of the pharma company.
Separately researchers found that a way of supposedly confirming orders made by online customers at baby clothing retailer Carter’s actually put them a risk. Purchasers had to click on a link to confirm their order, but the link could have been used by a hacker to get buyers names, delivery addresses and email addresses.
Canadians remain apprehensive about the protection of their personal information and certain online practices, a new poll commissioned by the Office of the Privacy Commissioner of Canada suggests. Almost 90 per cent of respondents said they are concerned about people using information available about them online to attempt to steal their identity. The same number are concerned about social media platforms gathering personal information that they or someone else posted online to create a detailed profile of their interests and personal traits. And 88 per cent are concerned about how companies and organizations might use information available about them online to make decisions about them, such as for a job, an insurance claim or health coverage.
Finally, U.S. President Joe Biden and Russian President Vladimir Putin had a four-hour closed-door chat in Geneva about a number of things, including the increased number of cyber attacks allegedly coming from groups based in Russia.
(The following is an edited version of my talk with Terry Cutler)
Howard: I want to start off with Biden and Putin. After the SolarWinds attack and the Colonial Pipelines ransomware attack, the Biden administration has been angry at Russia. Both attacks have been blamed on Russia-based groups. So security professionals were keenly interested in the talks. What happened?
Terry: The Washington administration was blaming Russia for these cyber attacks. But Russia on the other hand is saying, ‘The U.S. has been attacking us as well. And in the end, they’re gonna turn over these cybercriminals to each other for prosecution. I’m not sure how much of that is really gonna work, but they’re also saying there are some things that are off-limits — for example, critical infrastructure. You know, you can’t start attacking our water, our water supplies or energy.
Howard: And what they’ve done is agreed to put this off, they’re going to talk more, see if they can come to an agreement on defining things like what those critical infrastructures sectors are off limits.
Terry: Yeah. Because they want to avoid another cold war. I think World War Three is not going to be done with bombs. It could be done through cyber attacks. Imagine shutting off the electricity grids or contaminating the water supply.That can easily cripple a country.
Howard: And Russia has been blamed for being behind cyber attacks on the Ukrainian electric grid in, and if I recall correctly in December of 2015, and then December in 2016. There were huge power outages in Ukraine. And cybersecurity experts say this is awfully suspicious. And the only group that would really be interested in that would be Russia, which is having some conflict in Ukraine.
Terry: But again, there’s nothing stopping someone in Canada, for example, setting up some servers in Russia and launching all my attacks from Russia … Because cybercriminals now can hide their tracks so well that sometimes most of them, you don’t even know where they’re coming from.
Howard: And nation-states can hide their tracks as well. I think your point is, is that attribution isn’t easy. At least attribution isn’t easy if you’re a private sector cybersecurity company. If you’re the U. S. National Security Agency it may be a bit easier.
Terry: Washington came out saying we have a new thing in place with the Department of Justice and the FBI that are going to be teaming up together along with international agencies as well to help shut down and disrupt or prosecute ransomware gangs. And that’s where we’re starting to see a lot of these gangs being shut down … If you look online a lot of governments are hiring open-source intelligence experts or cybersecurity folks. You know, there was an ad that came out a couple of months ago that said the (U.S.) Department of Justice is hiring 500,000 cybersecurity experts. But where are you going to find them?
Howard: I think that Biden and Putin and, and a lot of other countries would probably agree that espionage — which is stealing government data — is fair game, but attacking critical infrastructure, which not only includes hospitals and utilities, but also food suppliers, the transportation network. that is out of bounds. Do you think the U. S. can get Russia to agree on that?
Terry: I think they can, but what will be interesting is the old saying, ‘The enemy of my enemy is my friend.’ So if Russia, let’s say, wants to do an attack on critical infrastructure in the U. S. they can just go to, another cybercriminal group …
Howard: It certainly raises the question that if Colonial Pipeline can’t protect itself against cybercriminals, how can it — or any company – protect themselves against a state-backed actor?
Terry: That’s a really great question. And I think what’s happening is that the whole notion of a nation-state criminals or cyber criminal groups are kind of blurred now because the state actors can go through aproxy group and use them as allies to attack the target. And then they’ll wash their hands of the situation … and most companies are not protected. They don’t know what’s running in place. They’re not doing their audits properly. They’re not using more advanced cybersecurity capabilities to prevent ransomware attacks or hacks.
Howard: Interestingly in the past week or so things haven’t been good for ransomware groups on. Yesterday Ukraine, said it took down the Clop ransomware group, and the Aveddon ransomware group over the weekend released its decryption keys. Now cybersecurity companies can make descriptors and organizations that have been victimized by the Aveddon strain have a free way to unlock their data. The Darkside group has apparently given up. What do you think is happening here?
Terry: Well, I think it’s about time. Because for years we’ve been wondering why these guys aren’t being arrested. So because of this joint collaboration with the FBI and Department of Justice are able to get search warrants and get things done quicker and use their capability to stop these gangs … We [cyber security companies] have done search and seizures in the past. [In Canada] it’s called Anton Piller orders, where we show up at a company and confiscate their electronics. And from there we have to do keyword searches on [PCs and servers] to see what evidence we can find, and do forensic copies of their devices for court and prosecution.
Howard: In addition to the bilateral talks on cybersecurity between Russia and the United States there have been some international efforts over several years to try to get some sort of consensus on what isn’t acceptable. And last month the United Nations Group of Experts on cyber came to an agreement on guidance for countries who are obliged to follow what are called norms of behavior in cyberspace. Now, these norms were agreed to several years ago, but they needed some fleshing out. Last month, this group of experts, who were from 40-odd countries, came to an agreement on guidance on how these norms were to be interpreted. One norm is states should not knowingly allow their territory to be used for internationally wrongful acts using information and communications technology. The problem is of course, a norm isn’t the law it’s, it’s sort of accepted behavior. And unfortunately that means that there’s some discretion that’s involved by countries. Terry, do you think that norms like this will let Russia and other countries off the hook, will they heed the fact that there’s been some sort of an agreement on norms, will this have much effect on cyber attacks in the short term?
Terry: These agreements are fine, but the norms are nonbinding. Nobody polices the internet. It’s a hostile environment. It’s a really hostile network. Once your traffic leaves your company or the country it could be intercepted. It can be manipulated, et cetera. So I don’t think it holds any teeth.
Terry and I also talked about Intuit’s Turbo Tax unit catching a hacker trying to use credentials a customer had used on another web site, and what companies can do to prevent credential re-use. To hear the conversation play the podcast.