Welcome to Cybersecurity Today, this is the week in review edition for the 7 days ending June 4. I’m Alex Coop, editorial director for ITWorldCanada.com, and I’m filling in today for your regular host Howard Solomon. In a few minutes, Terry Cutler, CEO of Montreal’s Cyology Labs will join me to peel through some of the news today, but first, let’s review some recent headlines.
If you were wondering which industry was going to feel the wrath of ransomware next, you got your answer this week. A ransomware attack against the world’s largest meat processor is giving everyone a taste of the chaos criminals can cook up with a focused attack on the food sector. Cutler and I will talk about the immense pressure facing industries that are vital to national security, energy and transportation, and agriculture, shortly.
The attack against the Brazil-headquartered JBS happened on the heels of a separate cyberattack on Colonial Pipelines last month and halted production at all the company’s U.S. meat processing facilities and slaughterhouses across Australia. According to the Washington Post, it shut down about one-fifth of U.S. beef production. JBS is largely back up and running, but the shutdown is still threatening a sudden surge in beef and pork prices and putting additional strain on an industry already ravaged by the COVID pandemic.
When it comes to that nasty pipeline attack, federal officials have linked it to a Russia-based black hat group called DarkSide, and no not the threatening behemoth from Zach Snyder’s Justice League, but perhaps just as threatening. On top of that, researchers say DarkSide has extracted $46 million in ransom payments in 2021 alone.
Hitting closer to home, Canada Post recently confirmed that it was a victim of a supply chain attack that allowed hackers to capture the names and addresses of almost one million senders and receivers of packages over a three-year period.
Our own Howard Solomon reported last week that the post office acknowledged the incident and said it was the result of a cyberattack on its electronic data interchange (EDI) solution supplier, Commport Communications. Commport manages the shipping manifest data of large parcel business customers.
The attack appears to be the work of a relatively new ransomware group called Lorenz, which researchers have since suggested that it hails from the ThunderCrypt ransomware strain.
Canada Post says it was first notified of a possible problem last November. At that time Commport told Innovapost, Canada Post’s IT subsidiary “of a potential ransomware issue.” At the time, Commport said then “there was no evidence to suggest any customer data had been compromised,” according to the post office. Canada Post added it was only recently told by Commport that the manifest data it held between July 2016 and March 2019 had been compromised.
Microsoft says the group behind the SolarWinds hack is now targeting government agencies, NGOs.
The group behind the SolarWinds cyberattack identified late last year, is reportedly now targeting government agencies, think tanks, consultants, and non-governmental organizations, Microsoft announced Tuesday.
In a blog posted online on Tuesday, Microsoft wrote that it had observed cyberattacks by the threat actor Nobelium targeting the aforementioned agencies
Microsoft says Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020.
And lastly, FireEye the cybersecurity firm has entered into a definitive agreement to sell the FireEye products business, including the FireEye name, to a consortium led by Symphony Technology Group (STG) in an all-cash transaction for $1.2 billion.
FireEye says that if the deal gets the green light from a regulatory perspective, the transaction is expected to close by the end of the fourth quarter of 2021. The deal will also separate Mandiant Solutions, FireEye’s cyber forensics unit, from its network, email, and cloud security products.
Also worth noting is that with the exception of special purpose acquisition companies, researchers at FactSet are saying that seven of the 12 largest tech acquisitions in the U.S. in 2021 have been carried out by private equity firms. I’m going to pick Cutler’s brain later about what these moves mean for the cybersecurity industry and channel partners.
This transcript has been condensed for clarity and accuracy. Catch the full interview in the podcast player at the top of this page.
Alex: It’s clear that complex digital supply chains are a hacker’s paradise and it can give criminals worrying access to vendors like FireEye and Microsoft researchers at the identity theft resource center. Back in February reported tracking a decrease in the number of random cyber attacks designed to catch victim organizations in its web. So why are supply chain attacks so attractive nowadays? And what are some of the targets outside of commercial software?
Terry: I think what’s happening here is that it’s breaking the trusted computer model. So what’s happening here is that they’re going after legitimate companies, hacking them, and then use them as a jump point to attack another company. And we’re seeing this now with attacks on Office 365, where you’re going to receive an email that looks like it came from your company. In fact, it looks really legit, but after you’ve signed in and also entered your two-step verification token, it wants to install a plugin that will have constant read access to your mail. And the moment you activate it, uh, the cybercriminals have access to your inbox now, and that causes an email business compromise. [Criminals] They’re going to be targeting these companies because they’re going to have a better success rate when users are going to be opening up their emails and, and what’s happened also is that the whole work from home environment is opening up a larger attack surface. So remember, the hackers need just one way in to be able to compromise the company.
Alex: Let’s zero in on the actual ransomware encryptor that was reportedly used against Canada Post. Lorenz emerged in April, and is a ransomware strain with code based on the ThunderCrypt ransomware. Terry, what can you tell us about how Lorenz operates and any advice you can offer when it comes to identifying its nefarious activities?
Terry: It’s very, very difficult to spot. What usually happens is that once the malicious code gets into your environment, it’s going to use techniques that will gather the usernames and passwords. So for example, if you’ve ever signed into, let’s say the receptionist computer with the administrator password, well, it’s going to steal those credentials and start moving laterally through your network … setting it up for the ransomware to show up. And at that point, once it’s got the domain administrator credentials, which is like God-level access to the Windows environment, the ransomware will then launch itself and encrypt all of the data to hold you hostage. And it’ll also go after your backups. So if your backups aren’t protected, you’re either going to be left with restoring your data somehow from tape or offsite backup. Or you’ll pay the ransom to recover your data.
Alex: Shifting gears slightly… In the United States, there are around 879,000 cybersecurity professionals in the workforce and an unfilled need for another 359,000 workers, according to a 2020 survey by (ISC)2, an international nonprofit that offers cybersecurity training and certification programs. Globally, the gap is even larger at nearly 3.12 million unfilled positions, the group says. My questions for you will be about what types of positions are sought after the most?
Terry: Everything from help desk technicians to all the way up to the CISO advisory. The challenges that we’re seeing right now in my personal opinion, stems from the schools. I witnessed this personally this year when I hired my first intern who had spent three years in university. And when I brought her on, I was shocked to learn that she never even installed some of the cybersecurity tools that we use to help protect companies, or never even heard of some of these things. And a lot of the time, teachers are only just one chapter ahead of them. So I feel that the universities and cybersecurity programs need to be revamped, have better experts in there, and perhaps the only way to scale that is through remote learning.