Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, January 6th, 2023. From Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes David Shipley of Beauceron Security will join me to discuss recent news. But first here are some of the headlines from the past seven days:
The LockBit ransomware gang apologized for hitting Toronto’s Hospital for Sick Children. It blames an affiliate for ignoring the criminal gang’s rules against encrypting the data of hospitals. Is this apology just a PR stunt? That’s one question I’ll put to David.
We’ll also discuss the rise of the ChatGPT tool. According to one news report Microsoft and OpenAI want to integrate this chatbot into the Bing search engine to fight Google’s lead in online search. David and I will discuss how threat actors also might use this tool.
And we’ll look at the increasing trend of threat actors stealing digital tokens to get around multifactor authentication. The latest victim is the Slack instant messaging platform, which at the end of December admitted a hacker was downloaded company code from GitHub after getting hold of digital tokens of employees.
In other news, Twitter account information on 200 million users is now available for free on a hacker forum. The data was offered for sale on the dark web for US$200,000 in December.
Developers using the open-source PyTorch machine learning framework were warned they may have downloaded a compromised version of the package from the PyPI repository over the holidays. PyTorch says someone was able to add a package with a spoofed name to the nightly package it puts on PyPI. It’s just the latest example of an open-source repository being abused by threat actors.
Application developers using the CircleCI continuous integration platform were also warned to change passwords, API keys, and digital certificates stored in the system after the discovery of an unspecified security incident.
Zoho is urging IT administrators to install a security fix for ManageEngine Password Manager Pro. This is to fix a high-severity SQL injection vulnerability.
And security researchers found vulnerabilities in the remote access capabilities of vehicles from 16 car manufacturers. Not only could some vehicles be started remotely, personal information of car owners could be stolen.
(The following transcript has been edited for clarity)
Howard: We’ll start with the ransomware attack on Toronto’s Hospital for Sick Children. Known as SickKids for short, the attack started last month and the LockBit gang took credit. And then on New Year’s Eve it issued a sudden apology. An affiliate of the gang was responsible for violating a rule against hitting hospitals. The gang said it “formally” apologizes, and the partner who did this is no longer affiliated with them. Not only that, the head of LockBit sent the hospital a decryptor to help it unscramble and recover files. Oh, my gosh David. A crook with ethics!
David Shipley: More like a crook with self-preservation instincts. There’s two scenarios: First is what we’ll call the Australian scenario. Was this the kind of attack like the Medibank attack that would cause such outrage that the government would wake up and actually get its act together, form a joint police and military response and really ruin their [the attacker’s] day? And ruin the Canadian ransomware market? If so this [apology] is just business preservation. Luckily for them, Canadian politicians apparently don’t care about SickKids because haven’t heard any denunciations from any cabinet-level ministers or the PMO about this. It was a non-concern. What may have been a secondary concern [for LockBit] is this is one of those things where critical infrastructure was attacked. They’re a gang based in Russia, we’re currently at pretty high tensions now, maybe this [attack on SickKids] may upset some of the Russian government folks who don’t necessarily want to see NATO trip Article 5 [a provision where an attack on one NATO member is seen as an attack on all]. Either way I highly doubt this is altruism. These cats have hit hospitals before and and not necessarily given them the [decryption] keys. So I think this is self-preservation and and self-interest.
Howard: They very generously sent a decrypter to the hospital. A question: Should any IT department trust a decrypter sent by a crook?
David: Do you really want to trust these cats? I have the privilege of knowing really really smart folks like Brett Callow at Emsisoft [who is based in British Columbia]. They have to spend a lot of time having to build or rebuild the tools to decrypt ransomware because while the criminals are great at ruining your day they’re not so great at actually decrypting it. Even when the Irish healthcare system got their decryption tool [from the attackers] it didn’t work. It was slower than all get out. So it’s a damned if you do damned if you don’t scenario. I think it [using a gang-supplied decrypto] depends on whether there are any reasonable alternatives. If there are I would avoid it. Hopefully your backups are intact. Hopefully the data is still fresh enough that it has value. But I think you are playing a dangerous game [to use a gang-supplied decryptor]. At the twilight of the ransomware market — and we’re not there yet — when this thing finally totally starts to go completely south desperation set in these decryptors will cause additional havoc as well. That’s when you know that they’re ready to burn the [ransomware] business model and are going to evolve to something else.
Howard: Ransonware gangs, and perhaps other threat actors, have self-imposed rules which can probably change as quickly as the direction of the wind. Here’s a translated list of what LockBit says its groups are forbidden to do: Encrypting the data of critical infrastructure, especially hospitals and energy companies. But it’s okay to hack into their into these companies and steal their data for ransom or resale. I hope you get the distinction there. You can hack in, you can steal their data, you can ransom their data. You can’t encrypt their data. If gang members or affiliates are in any doubt about what’s a critical infrastructure organization they can ask the LockBit help desk. Yes, That’s right, this ransomware-as-a-service gang, like a number of criminal operations, has a help desk.
David: What also amuses me is unlike our current federal approach to securing critical infrastructure and legislation they [LockBit] recognize that hospitals are critical infrastructure. [Editor: This is a reference to proposed Canadian federal legislation overseeing critical infrastructure. Initially, it will apply to four sectors: Banking, interprovincial pipelines, telecommunications and transportation. The federal government recognizes healthcare as part of the country’s critical infrastructure in planning with provinces and industry. However, hospitals are legally a provincial responsibility.]
You’d think a pandemic would have taught us that lesson but LockBit apparently recognizes hospitals as critical infrastructure but our new federal legislation doesn’t. Which is kind of super-funny. I do think the LockBit distinction is about not crippling the hospital — ‘We don’t want to get pinned with actually killing somebody because that might actually spin up law enforcement and military response and or set off a whole series of geopolitical events. But no one’s going to go to war over leaked medical files. Even if it might ruin someone’s life.’ I remind listeners about that Medibank hack in Australia. The first set of files they leaked were about people who’d had abortions. So these groups and their scruples are questionable at best. They don’t care what havoc they cause to individuals. They care about what blowback they could get [from the public and law enforcement]. The fact that they have a help desk goes back to the ransomware- as-a-service business model working so well and generating such money.
Howard: Here’s another example of their LockBit self-imposed rules. The gang can very carefully and selectively attack pharmaceutical companies, dental clinics and plastic surgeries. Why is it a selective rule? Don’t ask. They can attack private for-profit schools but not public school boards.
Interestingly, news emerged this week of an apparent ransomware attack on a Northern Ontario Catholic school board. The gang stole data of employees. The school board now reports the gang says it has deleted that data. Whether it’s deleted it because the gang were paid by the school board or whether the ransomware gang said, ‘Oh we really didn’t need to hit a public school board,’ we don’t know yet.
David: Not all ransomware gangs subscribe to LockBit’s ‘Robin Hood’ philosophy. Some gangs don’t care. The number of school districts in the United States that have been taken down is staggering. And the number of Canadian school districts that have gone down the last 12 months is starting to add up. This is getting bad, particularly for the primary and secondary education systems. It’s not so much the sensitivity of the data on students. But it’s the theft of employee files. That gets really dangerous and damaging. And let’s be honest: teachers have had a rough couple of years here. This is not helping us retain and keep the best teaching talent. As far as dental clinics and pharmaceutical companies, I find that there’s a fascinating distinction [made by LockBit] between these things. ‘You’re not going have a heart attack [in a dental office],’ but you might not be able to get a root canal when you really need one. They apparently don’t consider that a healthcare emergency.
Howard: LockBit makes it worthwhile for crooks to join their affiliates’ team. According to a U.S. government presentation that I was able to see online, LockBit affiliates set the ransoms demanded of the victims. And they get to keep 80 per cent of payments.
David: We’ve seen that with other gangs, and that includes NetWalker and others. You’ve got to think about how much money they must be making where they’re willing to give that much margin up to their affiliate. That speaks to the rumor that LockBit has made at least $100 million in revenue [since it began]. So if they [the leaders] get 20 per cent of the total take that’s pretty staggering. The only rule of Russian-based gangs that I trust is they don’t hack inside Russia or countries in the Russian sphere of Influence. They know that if they break that rule their legs are getting broken.
Howard: Before I leave ransomware I want to mention that this week the Guardian newspaper in the United Kingdom, which was hit last month by ransomware, told staff that they cannot return to the office until at least January 23rd because they’re continuing to restore and cleanse their IT systems. Staff has to continue working from home.
David: It’s interesting how the pandemic has made us more resilient. There would have been a time where not being able to go to the office would have meant the paper couldn’t be put out.
… I also wonder how much the collapse of cryptocurrency has unretired some [ransomware] gangs and made some individuals have to work again. The other thing that makes me very concerned is the affiliate model. When you’ve got tens of thousands of employees being laid off in the biggest tech companies on the planet there are chances that someone’s feeling pretty raw about that who would know enough about their fomer organization to cause a lot of pain [by becoming a cyber gang’s affiliate]. We might be heading for a year where an organization gets hit badly because they’re tightening their belt for the recession and someone hits back.
Howard: According to a news report the ALPHV/BlackCat ransomware gang recently found a new way to squeeze victim firms. Rather than offer stolen data on its private site for crooks after hitting a financial firm this gang created a publicly available leak site that mimics that company’s website with the stolen data. It’s a public warning: ‘We want everybody in the public to know that your company allowed a data breach.
David: This is an interesting escalation, and it’s not without risk back to the gang. Creating a public website’s going to require registering a domain. They’re going to have to figure out a way to try and cover their tracks. That’s much more difficult than posting something on the dark web, so they clearly think escalating to this level makes sense. It might have been Brett [Callow] or [cybersecurity author] Alan Liskla who said this may be a site BlackCat created so when they reach out to that financial services firm’s customers they point them at the site. The customers can see just how bad it is and that just puts extra pressure on the firm to pay — although at that point it may not be about the firm paying but about pointing to other people who have yet to make the decision to pay and saying, ‘Look what we just did to these guys. You want to be next?’ They must be feeling awful confident they’re not going to get nicked by police when creating public websites.
Howard: One lesson for all IT departments that I saw from one U.S. government advisory is all cyber gangs hunt for and then exploit unpatched IT systems. These are seen as easy if not preferred targets.
David: One hundred per cent. And let me put this warning call out there: If you are still running your own Exchange environment, or if you are buying a hosted Exchange environment, make 2023 the year you get to Office 365 because the tens of thousands of organizations that have been hit by numerous Exchange vulnerabilities just continue to happen — but aren’t happening in the Microsoft 365 environment. It’s a no-brainer. The value prop versus risk equation of hosting Exchange is one of those easy wins. Get out of that business. It no longer makes any sense.
Howard: Item two: Access control. At the end of the year the Slack instant messaging platform admitted that a hacker was able to get hold of digital tokens used by employees for logging into GitHub. GitHub is where developers work on slack application code. The hacker was able to download some of that code none of it had customer data. This is a new trend: Stealing digital tokens. Slack came out with its statement fast — three or four days after the attack.
David: Their incident response on this is fantastic. Their transparency is great. What’s going to be really key now is how this incident get weaponized by attackers as they continue to target. Slack. So what we saw with the LastPass breach just before Christmas was that a previous breach used details that only insiders would know to further their attacks. It resulted in a more catastrophic breach. So just because they didn’t get customer information [from Slack] doesn’t mean that the information they took can’t be highly useful for continuing their campaign. It’s clear Slack is in somebody’s sights. How they handle the next few attacks is really going to make all the difference.
Howard: As I said this deals with the theft of digital tokens which are the snippets of code that are tucked into browsers that IT systems use for identity and access control. If hackers can get a hold of them they can be used for bypassing multifactor authentication. In fact in November Microsoft warned that it’s seeing an increase in token theft. One way that a hacker can steal a token is through a man-in-the-middle attack, which is intercepting the multifactor authentication token that’s used by an employee when he logs in. Then the hacker replays the token for their own access.
David: Microsoft has a really great article about token theft. If I can phish you and get your username and password, I’m off to the races if you don’t have multifactor authentication. If I can fish you and deliver malware to your machine and now I can be the attacker in the middle and capture the browser session cookies and then replay them, I’m laughing. One of the challenges that Microsoft highlights in their analysis that I really liked is in this rush to remote work with so many bring-your-own-device policies and so many devices that aren’t under corporate control the devices may not have the security controls, antivirus software updates etc that could actually prevent malware from getting root and causing problems. Second is there may not be the telemetry heading back into IT security to say, ‘We’ve got a problem with this device.’ So you’re missing that particular insight. The other part about the Microsoft side of things in terms of the advice is The use of physical tokens like Yubikeys etc where you can’t replay those credentials because they’re tested every time you’re authenticated. The challenge is those hard keys are useful for high-risk roles like IT admins and others. But for regular roles there’s a balance between usability and security, because if the user loses their Yubikey good luck getting them productive again for a couple of days.
Howard: The other way tokens are stolen is by stealing browser cookies. These cookies keep you signed in continuously to a website. Like a man-in-the-middle attack, a cookie theft usually starts with an email or a text phishing attack. If the victim falls for this trick malware gets installed that tries to steal the cookies from the victim’s browser. Um. The difference is in a cookie attack the Hacker doesn’t need the victim’s credentials.
David: I would say email phishing is surging again in activity. And credentials continue to be a pretty big target. The other part that that we may be missing in terms of malware delivery is just before the end of the year we also saw a warning from the FBI about the use of malicious Google ads and other things that impersonate popular websites. When you landed at these sites you could end up getting malware served to you or the ad network serving malware. So while phishing is the easiest way to target a specific individual as part of a more sophisticated attack, generic malware looking to scrape credentials for reuse and access is also surging. This gets back to making sure devices are locked down.
Howard: Our final topic is going to be ChatGPT. It’s the hot technology these days. But a few researchers say it also may be a valuable tool for threat actors. First of all, what is it?
David: ChatGPT is the latest evolution of machine learning models which have been both instructed by human beings as well as having self-taught algorithms that go out and read the Internet and then give relatively coherent responses to questions … It is a fascinating example of the extent that language models have evolved. One of the things that gets really interesting, given we were just talking about phishing, is we used to teach people that phishing emails are poorly written, that they’ll have spelling or grammatical mistakes, that they’ll lack context. Well, all the cool kids around the world who aren’t necessarily English speakers now have ChatGPT or something close to it. Some researchers have actually been able to get ChatGPT to write some pretty damn good phishing emails. And they can use some of the social engeinnering techniques that we talk about here to make a phish really compelling.
Howard: I interviewed a security researcher this week at a company called Cyberint who made the point that this chatbot could help threat actors reverse engineer anti-malware and security software, as well as just simply be used to find bugs in the code that hackers are writing.
David: I think we’re going to see this. We’ve we’ve seen criminals use other tools to understand how to protect themselves. One ransomware gang actually set up a front company to buy cybersecurity antivirus engines to test their software against before putting it on the market. Criminals are not stupid. They’re actually quite bright. It’s that they’re lazy. They don’t want to work hard for their money and they want to steal yours so they’re going to use every new technology they can get their hands on. That just makes life harder for everybody. And because ChatGPT can do code, which is another form of language, it’s going to cause headaches. It’s going to be interesting to see if it’s used to race to find zero-day bugs. I think we’re in for a bad year in 2023. ChatGPT is a harbinger of what’s coming next. It’s the moment AI starts to balance out. We’ve heard how AI has been helping defenders. Well, everything in crime is gonna have AI, too.
The post Cyber Security Today, Week in Review for Friday, January 6, 2023 first appeared on IT World Canada.