Security Bytes - Issue 2
Jim Tiller is the Chief Information Security Officer at Nash Squared. With over two decades of information security experience, Jim is an internationally recognized cybersecurity authority on cyber risk management, security technology, industry leadership, and multiple patent-winning recognition for innovation in security solutions.
OK… This week’s Security Bytes is a touch different. There’s a lot of nasty stuff out there, but some is more sinister than you might imagine. Also, things, well, don‘t look great. We’re going to take a top down look into the abyss. Hang on tight, here we go.
Hackers Improving Hackers
Bug bounty programs are where companies, such as Microsoft, Apple, Google, Cisco, and many others, enlist hackers to find and report on vulnerabilities in their respective systems and applications for a reward. The bigger and more complex the find, the greater the payout. There are many well-known bounty hunters that are now millionaires thanks to these programs, and of course their skill.
In an interesting twist, this week the second most prolific ransomware-as-a service cybergang LockBit – arguably poised to challenge Conti for first place – launched LockBit 3.0, which coincided with a bug bounty program with rewards starting at $1000 and up to $1M. This clearly demonstrates that cybercrime has evolved into big business.
In fact, the cybercrime industry is looking to exceed $8 Trillion next year. If it were a country, it would be the third largest economy in the world, after the United States and China.. and it’s virtually all profit. Overall cybertheft represents the largest transfer of economic wealth in human history. It’s critical everyone understands this. Money is at the heart of motivation and easy money is highly motivational. Everyone is a target and massive advances in hacker technology and supporting ecosystems makes it too easy.
For our clients, it comes down to making certain you’re prepared to defend and recover from ransomware attacks. Every organization is different. How critical data is to daily operations and where that data is can be defining factors for levels of concern. There is a lot of advice and direction in dealing with ransomware, but we can also help with articulating that risk in real business terms, ensuring an economically balanced approach.
Links:
Faked Out
What essentially started as way of increasing revenue related to pornographic video sales, Deepfake is a technology that allows you to change the facial and other characteristics of one person to another, forming the basis of synthetic media. In the early phases it was clear something wasn’t right and was well entrenched in the uncanny valley.
However, the technology and related AI has advanced significantly. We’ve moved well past faking videos or even voices to steal money, now you can have an interactive video call with someone posing as someone else. Just ask the mayor of Berlin, Franziska Giffey who had a 15 minute zoom call with Vitali Klitschko, mayor of Kyiv, but didn’t.
Just last week the FBI warned of increasing complaints of cybercriminals using deepfakes to apply for remote positions. Hiding just under the ink of their public service announcement is the reality that cybercriminals and nation states – especially North Korea – are using deepfakes to bypass Know Your Customer/Client (KYC) controls related to moving and exfilling stolen cryptocurrency, which represents over $2 Billion in estimated losses.
This is a very real problem. You think poor passwords are an issue, try dealing with technology that (successfully) targets millions of years of human evolution. Facial recognition is a lizard-brain-level process that determines virtually every aspect of our social reality.
For our clients, especially those exploring facial recognition and authentication verification technologies, this is a threat. There are very good counter technologies available, but the evolution deepfakes is just too fast. We can help evaluate client practices and approach and review it from a threat perspective to help articulate risk and, ultimately, confidence in the approach.
Links:
Uncanny Valley: https://en.wikipedia.org/wiki/Uncanny_valley
Deepfake steals $35M: https://www.darkreading.com/attacks-breaches/deepfake-audio-scores-35-million-in-corporate-heist
FBI reports on Deepfakes: https://www.bleepingcomputer.com/news/security/fbi-stolen-pii-and-deepfakes-used-to-apply-for-remote-tech-jobs/
Your Building is Hacking Your Bank
Terms like IoT (Internet of Things) get tossed around, but ultimate connectivity comes at a price. A very long time ago, before committing to cyber as a career, I designed PLC systems and wrote my share of PLC code for fuel and chemical processing. I was very aware of the implications – deadly implications – of manipulating mechanical processes and safety controls of complex machinery. For me Stuxnet was, sadly, no surprise. What really concerned me came years later in 2017 when there was an attack on a Middle East petrochemical facility. The malware was called Triton, after Triconex Safety Systems to which is was generally targeting. In short, this was presumably designed to cause harm to humans, at scale.
When we look at IoT we have to realize these are computers, albeit basic, but as a swarm they can be devastating. Just last week the FBI shutdown operations of the hackers running the Russian Rsocks botnet predominately based on commandeering millions of IoT devices. Of course, this isn’t new, as far back as late last year BotenaGo botnet was based on 1.987 million Linux powered IoT devices.
An interesting report this week – and you really need to read the entire article - researchers at Kaspersky ICS CERT, identified attacks against industrial control systems and telecom firms in Afghanistan and Pakistan, as well as a logistics and transport organization in Malaysia. The attacks are linked to using the well known ProxyLogon Microsoft Exchange vulnerability to deploy the ShadowPad malware. Once in the exchange environment the hackers fire up a shell which is then used to attack Building Automation Systems (BAS), presumably to get sensitive data, move laterally, and, who knows, affect building machinery and safety?
Any of our clients that utilize IoT and industrial systems at scale can always benefit from an assessment, even if only a cursory review. Understanding threats, their tactics, techniques, and procedures (TTPs) , and evolving behaviors is essential to defending against them effectively.
Links:
China APT Article: https://www.darkreading.com/attacks-breaches/china-backed-apt-pwns-building-automation-proxylogon
FBI Rsocks: https://www.hackread.com/feds-dismantle-russia-rsocks-botnet-iot-devices-hack/
BotenaGo: https://www.hackread.com/botenago-malware-hits-iot-devices/
Stuxnet: https://en.wikipedia.org/wiki/Stuxnet
Trition attack: https://www.theregister.com/2022/03/28/in_brief_security/
Podcast about Triton attack: https://darknetdiaries.com/episode/68/
About vCISO
The vCISO (Virtual Chief Information Security Officer) practice is comprised of a global community of highly experienced security professionals that we can connect with customers looking to address challenging cybersecurity pressures in a cost effective and resource efficient delivery model. This provides organizations flexible and focused access to cybersecurity expertise in a time when finding, attracting, and affording skills at this level is virtually impossible or impractical.