Published: November 6th, 2020
Welcome to Cyber Security Today. This is the Week In Review edition for Friday November 6th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
With me this week to analyze the top news story is Terry Cutler, CEO of Cyology Labs, a Montreal-based cybersecurity consulting service. We’ll talk in a few minutes, but first a look back at the week’s headlines:
Smartphone users should be careful if they get a text message about an unexpected package delivery. A cybercriminal has recently been sending out messages primarily to Americans saying, “Your parcel has been sent out. Please check and accept it.” Click on the included link and you get hit with malware or a page where you are asked to fill in your phone’s password. Remember, think carefully before clicking on links in texts and emails from unknown senders.
The operator of the Maze ransomware web site says the gang is calling it quits. Maze pioneered the double-squeeze strategy of stealing data and threatening to publicly release it as well as encrypting data to blackmail victim organizations. But suddenly a press release on their site appeared in broken English saying the Maze Team Project is “officially closed.”
Meanwhile ransomware attacks continue. Among the latest victims are Montreal’s Jewish General Hospital. Saskatchewan Polytechnic, a college in Western Canada, is fighting a cyberattack that reportedly is ransomware. And toymaker Mattel revealed it was hit by ransomware in July.
Terry and I will talk about ransomware in a few minutes.
Organizations running the Asterisk VoIP phone systems are being warned their Sangoma PBX management system is at risk of being hacked. There is a vulnerability allowing a group in the Middle East to resell access to the phone system to the highest bidders. Often the access is then used for phone fraud. IT administrators should make sure Sangoma has the latest security patches. Phone system administrators should watch company call patterns.
Someone is selling stolen databases from 17 companies with 34 million customer records on a hacker forum. They include names, email addresses, some scrambled passwords and other information. Victim companies are in sectors like finance, online groceries and schools in the United States, the United Kingdom and other countries. It appears all of the databases were stolen this year.
Finally, Microsoft continues to urge IT administrators to install a security patch to Windows Server and all domain controllers. This fixes a big vulnerability in Active Directory’s Netlogon capability. In August Microsoft issued a patch to plug this hole, which could allow a hacker to steal the password to the domain controllers that verify users when they log in.
First I want to chat about the Maze ransomware group and their apparent announcement that they’re closing. This is a group that was one of the first, if not the first, to increase the pressure on victim companies to pay up after encrypting their data. Organizations for a time were able to get around paying for the decryption keys by resorting to backups. So crook thought ‘As long as we’re in a company’s system, let’s also steal data and threaten to embarrass them by releasing it unless they pay.’ So companies face a dilemma: Pay to stop the release of data, or pay to get decryption keys. Either way it’s been a deadly weapon for those ransomware groups that have adopted this strategy.
Then last weekend Maze says, ‘We going away for a while.’ Terry, what do you make of this?
“It’s been really busy actually, because of ransomware. A lot of it’s been Ryuk, but we actually came across two Maze ransomwares and, it’s basically where they get hit with ransomware, but they’ve already stolen your data before infecting you. And then, they [the attackers] have a backup plan. It’s a double extortion, basically. If you’re able to recover your data, well, then it could still turn around and say, okay, well pay us or we’re going to leak your data.”
The maze ransomware group made an apparent announcement that they’re closing. What do you make of this?
“In my personal opinion, I think that there’s too much heat on them individually because you know, these guys brought in billions of dollars for their for their network, right? And I think where the problem is going to happen is not going to be in the technology side. Yes, they can hide their tracks and such, but they’re going to make a lot of critical mistakes in the real world … It’s gonna be the carelessness, the parties, the yachts, the cars, the bling, and that’s where like the the revenue agencies are gonna look into this, maybe law enforcement piece it altogether, and that’s where they’re gonna get nabbed.”
Some of these ransomware groups in the past couple of months have said, ‘Hey, listen, we’re noble, we’re not going to attack hospitals. And then hospitals are getting attacked. Is Maze getting worried that’s bad publicity? And that’s one of the reasons why, uh, police are particularly targeting them.
“Well, I think what’s happening is they realize, you know, maybe they’re having a change of heart, we’ll say. A ‘Coming to Jesus’ moment …”
When it comes to the data theft side of a ransomware attack should victim companies trust the gangs that promise that the data they’ve copied is going to be erased if they pay you?
“It’s the hardest part, because again, you’re dealing with criminals. Nut what’s funny, though, is that when you’re communicating with these guys, they’re, they’re always talking about how they have a brand and reputation that may have to maintain, right? They want to have a positive image that if you pay us, we’re going to give you your keys and everything’s going to be fine. But again, you’re dealing with a cyber-criminal. So it’s a 50, 50 chance.”
To hear the full conversation, play the podcast.