Crimson Blog

Security Bytes - Issue 7

Written by Jim Tiller | Aug 18, 2022 1:39:52 PM

Jim Tiller is the Chief Information Security Officer at Nash Squared. With over two decades of information security experience, Jim is an internationally recognized cybersecurity authority on cyber risk management, security technology, industry leadership, and multiple patent-winning recognition for innovation in security solutions.

There’s so much going on this week I couldn’t come close to covering in a single post, such as a report from Dragos concerning industrial systems and ransomware; Microsoft fixes zero-day vulnerability they knew about 3 years ago but didn’t consider it a vulnerability (head scratcher); and a report came out saying only 19% of companies with cyber insurance had coverage over $600k, which wouldn’t actually cover much.

I could go on and on, but for this week we have three items that should get you thinking. We’ll touch on how NHS got hit hard because of a vendor became a ransomware victim, but now there’s concerns of massive data losses; CISA publishes an alert talking about how the top malware is over 5 years old, so why are we still falling victim; and a new report shows that a single crypto laundering service processed $540 Million for criminals and all kinds of bad guys.

Let’s get started!  

-----------------------

Nothing but bad

Getting attacked is exceedingly unpleasant and there are so many ways the bad guys can get you. Most prominent threats these days are ransomware and supply chain exposures. Of course, given the hyper-integration of technology, cyber attacks can have a wide range of impacts, from loss of data and systems, as with ransomware, to impacting critical operations and emergency services. So, it’s difficult not to cringe when reading the news about the cyberattack on the UK’s National Health Services (NHS). Sadly, this isn’t the first time NHS has been impacted and what’s more concerning is healthcare systems, providers, and facilities around the world have been targets.

In this story, which is continually developing, a software supplier for the NHS was hit by a ransomware attack, which then leaked into the more critical aspects of the NHS’s systems and services. The company’s software provides multiple services, such as patient referrals, ambulance dispatch, out-of-hours appointment bookings, mental health services and emergency prescriptions. As a result, calls into the emergency services, the deployment of ambulances, and even the ability for patients to pick-up medications suffered outages. Now being reported are fears that patient data was stolen. So, if you’re counting… 1) ransomware attack, 2) data exfiltration, 3) impact to critical emergency services, and 4) supply-chain risk.

I’d like to highlight a big-picture item. We hear of bad guys getting private information all the time, so much so we’re becoming numb to it. But what you don’t hear about is the downstream impacts for years encompassing everything from identity theft and credit card fraud to hacking into organizations and extortion. The NCSC, which is part of GCHQ, is investigating the attack to ascertain if anything was taken and if so, what. Time will tell.

Links:

Article overview: https://www.theguardian.com/technology/2022/aug/11/nhs-ransomware-attack-what-happened-and-how-bad-is-it

Article about data exposure: https://www.theguardian.com/society/2022/aug/11/fears-patient-data-ransomware-attack-nhs-software-supplier

NHS hit by WannaCry in 2017: https://www.nationalhealthexecutive.com/articles/wannacry-cyber-attack-cost-nhs-ps92m-after-19000-appointments-were-cancelled

 

It’s Malware, Dummy

This week a joint cybersecurity advisory was published representing a collaboration between the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC), titled “2021 Top Malware Strains” (AA22-216A). The technical summary of the eleven various forms of malware is good. They highlight the type, the year it became active, and how it’s delivered with some resources to get more information – great! But there’s a somewhat thinly veiled undertone to the report.

The report highlights simply that “Most of the top malware strains have been in use for more than five years…” and between the lines (deeply perhaps) suggests that if it’s the same malware, why are we not better at stopping it. In one hand, I completely agree. Seriously, if a criminal walks up to your store front every month and tosses a brick through the window, your defenses are going to naturally start to become very good at stopping bricks. Maybe not other things, but bricks for sure. But on the other hand, malware is, well, just the brick. We have to think about the street our store is on, the type of glass we’re using, or why is our employee is stacking bricks around the corner on their smoke break. In short, there are other moving parts that go beyond just detecting malware, phishing being at the top of the list.

But here’s the reality of the report and puts a nail in it… the recommendations. And we all (should) know what they are: 1) patch your systems, 2) backup your data, 3) train your users, and 4) implement Multi-Factor Authentication (MFA), because they haven’t changed in over 25 years. This is one of the many conundrums of cybersecurity. Really good security is boring and has to be worked on every day, like painting a bridge… no one will ever see it, but if you don’t do it, the bridge will rust and fail. But, it’s not fun and even less than interesting, so it’s difficult to do and do right all the time.

Links:

The alert: https://www.cisa.gov/uscert/ncas/alerts/aa22-216a

Article: https://www.nextgov.com/cybersecurity/2022/08/top-malware-2021-has-been-use-years-cisa-warns/375587/

 

Industrializing Cybercrime

One of many topics I spend a lot of time exploring is the complex infrastructure that cybercriminals have constructed that permit them to operate in extraordinary ways. In that arena, and something I’ve always found fascinating, is cryptocurrency. The concept of using technology for money, in an era that still can’t seem to secure even e-mail, or a text message just doesn’t add up – but I digress. Nevertheless, one cannot argue the point that crypto has nearly singlehandedly empowered cybercrime by solving the big hacker problem – monetization.  Other than outright stealing money, effectively converting hacking activities into hard cash was difficult prior to crypto. Of course, adding to the oddity of crypto is the notion of privacy, which there is none.

Criminal’s use of crypto has been extraordinary to watch. How it is deployed, leveraged, and obfuscated to avoid law enforcement, and, of course, extracting the cash. A lot of interesting technology was created to move crypto across various wallets and to extract cash. To help, new forms of “private” cryptocurrencies launched, most notable Monero, Zcash, etc. that created a capability to essentially privatize other cryptocurrencies. Then came tumblers, which are designed to take privatization to the next level and launder crypto by cleaning it through mixing and distributing it across a wide variety of cryptocurrencies to throw off law enforcement and their very capable tools (that’s for another post).

Tumblers evolved rapidly, not only in technology, but also in practice and application, such as peer-to-peer, pooling, and a sea of darknodes. As such, it took on a new label – decentralized cross-chain bridge. But what does that really mean? Well, it means a form of financial service for the cybercrime world, and like a lot of things, they do it at scale and quite well.

This week Elliptic Connect published a report based on an analysis they performed on cross-chain bridges and highlighted some interesting numbers. The headline number is $540 Million laundered through one such bridge called RenBridge. The underlying architecture of how these services function is quite sophisticated and smartly implemented. In fact, their existence is threatening all types of digital asset activities, such as DeFi, regulators, and anti-fraud practices. When we say the hackers are “always ahead”… this is a perfect example and to add insult to injury, we’re trying to play in their world with money. It’s going to get worse before it gets better I fear.

Links:

The report – definitely read it: https://hub.elliptic.co/analysis/cross-chain-crime-more-than-half-a-billion-dollars-has-been-laundered-through-a-cross-chain-bridge/

Article: https://www.cnbc.com/2022/08/10/crypto-criminals-laundered-540-million-using-renbridge-elliptic-says.html

 

About vCISO

The vCISO (Virtual Chief Information Security Officer) practice is comprised of a global community of highly experienced security professionals that we can connect with customers looking to address challenging cybersecurity pressures in a cost effective and resource efficient delivery model. This provides organizations flexible and focused access to cybersecurity expertise in a time when finding, attracting, and affording skills at this level is virtually impossible or impractical.

https://www.nashsquared.com/vciso