Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

My Take

 

MY TAKE: A primer on how ransomware arose to the become an enduring scourge

By Byron V. Acohido

“All we know is MONEY! Hurry up! Tik Tak, Tik Tak, Tik Tak!”

This is an excerpt from a chilling ransom note Baltimore IT officials received from hackers who managed to lock up most of the city’s servers in May. The attackers demanded $76,000, paid in Bitcoin, for a decryption key. Baltimore refused to pay – choosing, instead, to absorb an estimated $18 million in recovery costs.

Related:  ‘Cyber Pearl Harbor’ happens every day

Some 15 months earlier, in March 2018, Atlanta was hit by a similar assault, and likewise refused to pay a $51,000 ransom, eating $17 million in damage.

Stunning as these two high-profile attacks were, they do not begin to convey the full scope of what a pervasive and destructive phenomenon ransomware has become – to individuals, to companies of all sizes and, lately, to poorly defended local agencies.

Probing and plundering

Ransomware is highly resilient and flexible. Its core attraction for criminals is that it is about as direct a channel to illicitly-garnered cash as any conman could dream up – few middlemen required.

From a high level, ransomware is essentially an open platform that operates on market principles, around which a thriving ecosystem of suppliers and specialists has taken shape. This has opened the door for newbie purveyors, with modest technical skill, to enter the field, giving these novices easy and cheap access to powerful turnkey tools and services. Meanwhile, the advanced hacking collectives invest in innovation and press forward. The net result is a continuation of proven styles of ransomware attacks, as well as constant probing for vulnerable pockets and plundering along fresh pathways.

According to the FBI, the absolute number of daily ransomware attacks actually dipped slightly last year. However, that’s more a function of hackers targeting individuals less, and companies and governments more. And as highlighted by the assaults on Baltimore and Atlanta, municipalities are among the hottest targets of the moment. A survey of local media reports by Recorded Future tallied 38 ransomware attacks against cities in 2017, rising to 53 attacks in 2018. In the first four months of 2019 alone, some 22 attacks have been disclosed.

…more

MY TAKE: How state-backed cyber ops have placed the world in a constant-state ‘Cyber Pearl Harbor’

By Byron V. Acohido

Cyber espionage turned a corner this spring when Israeli fighter jets eradicated a building in the Gaza Strip believed to house Hamas cyber operatives carrying out attacks on Israel’s digital systems.

Related: The Golden Age of cyber spying is upon us.

That May 10th  air strike by the Israel Defense Force marked the first use of military force in direct retaliation for cyber spying. This development underscores that we’re in the midst of a new age of cyber espionage.

This comes as no surprise to anyone in the military or intelligence communities. State-sponsored cyber operations have been an integral part of global affairs for decades. And, in fact, cyber ops tradecraft has advanced in sophistication in lock step with our deepening reliance on the commercial Internet.

Here are a few things everyone should know about the current state of government-backed cyber ops.

Russia’s tradecraft

A lot of dots have been connected recently with respect to Russia’s cyber spying, initially thanks to Barack Obama’s leveling of sanctions on Russia for interfering in the 2016 U.S. presidential elections. Among more than two dozen Russians named as co-conspirators by the Obama sanctions were a pair of notorious cyber robbers, Evgeniy Bogachev of Russia and Alexsey Belan of Latvia.

At the time, both were well-known to the FBI as profit-motivated cyber thieves of the highest skill level. Bogachev led a band of criminals that used the Gamover Zeus banking Trojan to steal more than $100 million from banks and businesses worldwide. Then somewhere along the way, Bogachev commenced moonlighting as a cyber spy for the Russian government.

The Obama sanctions helped security analysts and the FBI piece together how Bogachev, around 2010, began running unusual searches on well-placed PCs he controlled, via Gameover Zeus infections. Bogachev’s searches explicitly sought out intelligence of direct strategic benefit to Russia – just prior to Russia making adversarial moves in the Republic of Georgia, the Ukraine and Turkey, respectively.

Meanwhile, details of Alexsey Belan’s Russian-backed escapades came to light in March 2017 when the FBI indicted Belan and three co-conspirators in connection with hacking Yahoo to pilfer more than 500 million email addresses and gain deep access to more than 30 million Yahoo accounts.

The Obama sanctions ultimately linked both Bogachev and Belan to the hack of the Democratic National Committee and several other organizations at the center of the 2016 U.S. presidential elections. The pair were not the first private-sector cybercriminals recruited to serve as Russian assets, and very likely won’t be the last, said Bryson Bort, CEO of security company SCYTHE, a supplier of attack simulation systems.

“Russia explicitly recruits folks already engaged in criminal activities, and once recruited, they are contracted and connected to military organizations for direction and oversight,” Bort told me. “Those activities have criminal end-goals of corporate espionage and theft, but to be clear, they are government-directed.”

Both Bogachev and Belan remain on the FBI’s most wanted cybercriminals list: Bogachev with a $3 million bounty and Belan with a $100,000 bounty. The assumption is that they both reside in Russia under the protection of the Russian government.

“We have not effectively deterred Russia, as a nation, from executing these operations,” Bort said. “So we can expect them to continue to recruit criminal hackers, grow their capabilities, and continue to use them.”

China’s tradecraft

It’s fully expected that Russia’s cyber spying will continue to revolve around spreading propaganda and influencing elections, as well as maneuvering for footholds, in critical infrastructure and financial systems, in order to put Russia into an improved position from which to manipulate global politics of the moment.

By contrast China takes a long view, as explicitly outlined in its Made in China 2025 manifesto. China has been taking methodical steps to transform itself from the source of low-end manufactured goods to the premier supplier of high-end products and services.

…more

NEW TECH: Early adopters find smart ‘Zero Trust’ access improves security without stifling innovation

By Byron V. Acohido

As we approach the close of the second decade of the 21st century, it’s stunning, though perhaps not terribly surprising, that abused logon credentials continue to fuel the never-ending escalation of cyber attacks.

Related: Third-party risks exacerbated by the ‘gig economy’

Dare we anticipate a slowing — and ultimately the reversal – of this trend? Yes, I believe that’s now in order.

I say this because tools that give companies the wherewithal to make granular decisions about any specific access request – and more importantly, to react in just the right measure — are starting to gain notable traction.

For the past four years or so, leading security vendors have been championing the so-called Zero Trust approach to network architectures. All of this evangelizing of a “never trust, always verify” posture has incrementally gained converts among early-adopter enterprises.

PortSys is a US-based supplier of advanced identity and access management (IAM) systems and has been a vocal proponent of Zero Trust.  I recently had the chance to visit with PortSys CEO Michael Oldham, and came away with a better grasp of how Zero Trust is playing out in the marketplace.

He also reinforced a notion espoused by other security vendors I’ve interviewed that Zero Trust is well on its way to being a game changer. Key takeaways from our discussion:

Entrenched challenges

It takes a cascade of logons to interconnect the on-premises and cloud-based systems that enterprises rely on to deliver digital commerce as we’ve come to know and love it. And it remains true that each digital handshake is prone to being maliciously manipulated by a threat actor, be it a criminal in possession of stolen credentials or a disgruntled insider with authorized access.

To be sure, advances have come along in IAM technologies over the past two decades. Yet, high-profile breaches persist. Some 78% of networks were breached in 2018, based on CyberEdge’s poll of IT pros in 17 countries. What’s more, an IBM/Ponemon study pegs the global average cost of a data breach at $3.86 million, and predicts a 28 percent likelihood of a victimized organization sustaining a recurring breach in the next two years.

This has to do with entrenched investments in legacy security systems, such as traditional firewalls and malware detection systems that were originally designed to protect on-premise systems. As remote access, mobile devices and cloud computing …more

MY TAKE: Let’s not lose sight of why Iran is pushing back with military, cyber strikes

By Byron V. Acohido

It is not often that I hear details about the cyber ops capabilities of the USA or UK discussed at the cybersecurity conferences I attend.

Related: We’re in the golden age of cyber spying

Despite the hush-hush nature of Western cyber ops, it is axiomatic in technology and intelligence circles that the USA and UK possess deep hacking and digital spying expertise – capabilities which we regularly deploy to optimize our respective positions in global affairs.

Last week, President Trump took an unheard of step: he flexed American cyber ops muscle out in the open. An offensive cyber strike by the U.S. reportedly knocked out computing systems controlling Iranian rocket and missile launchers, thus arresting global attention for several news cycles.

“The digital strike against Iran is a great example of using USCYBERCOM   as a special ops force, clearly projecting US power by going deep behind enemy lines to knock out the adversary’s intelligence and command-and-control apparatus,” observes Phil Neray, VP of Industrial Cybersecurity for CyberX, a Boston-based supplier of IoT and industrial control system security technologies.

Some context is in order. Trump’s cyber strike against Iran is the latest development in tensions that began in May 2018, when Trump scuttled the 2015 Iran nuclear deal – which was the result of 10 years of negotiation between Iran and the United Nations Security Council. The 2015 Iran accord, agreed to by President Obama, set limits on Iran’s nuclear programs in exchange for the lifting of nuclear-related sanctions.

For his own reasons, Trump declared the 2015 Iran accord the “worst deal ever,” and has spent the past year steadily escalating tensions with Iran, for instance, by unilaterally imposing multiple rounds of fresh sanctions.

Iran pushes back

This, of course, has pushed Iran into a corner, and forced Iran to push back. It’s important to keep in mind that Iran, as well as Europe and the U.S., were meeting the terms of the 2015 nuclear deal, prior to Trump scuttling the deal.  Let’s not forget that a  hard-won stability was in place, prior to Trump choosing to stir the pot.

Today, Iran is scrambling for support from whatever quarter it can get it. It’s moves, wise or unwise, are quite clearly are calculated to compel European nations to weigh in on its behalf. However, many of Iran’s chess moves have also translated into fodder for Trump to stir animosity against Iran. …more

BEST PRACTICES: Do you know the last time you were socially engineered?

By Byron V. Acohido

This spring marked the 20th anniversary of the Melissa email virus, which spread around the globe, setting the stage for social engineering to become what it is today.

The Melissa malware arrived embedded in a Word doc attached to an email message that enticingly asserted, “Here’s the document you requested . . . don’t show anyone else;-).” Clicking on the Word doc activated a macro that silently executed instructions to send a copy of the email, including another infected attachment, to the first 50 people listed as Outlook contacts.

What’s happened since Melissa? Unfortunately, despite steady advances in malware detection and intrusion prevention systems – and much effort put into training employees – social engineering, most often in the form of phishing or spear phishing, remains the highly effective go-to trigger for many types of hacks.

Related: Defusing weaponized documents

Irrefutable evidence comes from Microsoft. Over the past 20 years, Microsoft’s flagship products, the Windows operating system and Office productivity suite, have been the prime target of cybercriminals. To its credit, the software giant has poured vast resources into beefing up security. And it has been a model corporate citizen when it comes to gathering and sharing invaluable intelligence about what the bad guys are up to.

Threat actors fully grasp that humans will forever remain the weak link in any digital network. Social engineering gives them a foot in the door, whether it’s to your smart home or the business network of the company that employs you.

Attack themes

A broad, general attack will look much like Melissa. The attacker will blast out waves of email with plausible subject lines, and also craft messages that make them look very much like they’re coming from someone you might have done business with, such as a shipping company, online retailer or even your bank.

Some common ones in regular rotation include: a court notice to appear; an IRS refund notice; a job offer from CareerBuilder; tracking notices from FedEx and UPS; a DropBox link notice; an Apple Store security alert; or a Facebook messaging notice.

…more

MY TAKE: Why locking down ‘firmware’ has now become the next big cybersecurity challenge

By Byron V. Acohido

Locking down firmware. This is fast becoming a profound new security challenge for all companies – one that can’t be pushed to a side burner.

Related: The rise of ‘memory attacks’

I’m making this assertion as federal authorities have just commenced steps to remove and replace switching gear supplied, on the cheap, to smaller U.S. telecoms by Chinese tech giant  Huawei. These are the carriers that provide Internet access to rural areas all across America.

Starks

Federal Communications Commission member Geoffrey Starks recently alluded to the possibility that China may have secretly coded the firmware in Huawei’s equipment to support cyber espionage and cyber infrastructure attacks.

This isn’t an outlier exposure, by any means. Firmware is the coding that’s embedded below the software layer on all computing devices, ranging from printers to hard drives and motherboards to routers and switches. Firmware carries out the low-level input/output tasks, without which the hardware would be inoperable.

However, the security of firmware has been largely overlooked over the past two decades. It has only been in the past four years or so that white hat researchers and black hat hackers have gravitated over to this unguarded terrain – and begun making hay.

I recently had the chance to discuss this with John Loucaides, vice-president of engineering at Eclypsium, a Beaverton, OR-based security startup that is introducing technology to scan for firmware vulnerabilities. Here are the big takeaways:

Bypassing protection

Firmware exposures are in the early phases of an all too familiar cycle. Remember when, over the course of the 2000s and 2010s, the cybersecurity industry innovated like crazy to address software flaws in operating systems and business applications? Vulnerability research took on a life of its own.

As threat actors wreaked havoc, companies strove to ingrain security into code writing, and make it incrementally harder to exploit flaws that inevitably surfaced in a vast threat landscape. Then, much the same cycle unfolded as virtual computing came along and became popular; and then the cycle repeated itself, yet again, as web browsers took center stage in digital commerce. …more

MY TAKE: Android users beware: Google says ‘potentially harmful apps’ on the rise

By Byron V. Acohido

Even if your company issues you a locked-down smartphone, embracing best security practices remains vital
Our smartphones. Where would we be without them?

Related Q&A: Diligence required of Android users

If you’re anything like me, making a phone call is the fifth or sixth reason to reach for your Android or iPhone. Whichever OS you favor, a good portion of the key components that make up your digital life — email, texting, social media, shopping, banking, hobbies, and work duties — now route through these indispensable contraptions much of the time.

Cybercriminals know this, of course, and for some time now they have been relentlessly seeking out and exploiting the fresh attack vectors spinning out of our smartphone obsession.

Don’t look now, but evidence is mounting that the mobile threats landscape is on the threshold of getting a lot more dicey.

This is because mobile services and smartphone functionalities are rapidly expanding, and, as you might expect, cyberattacks targeting mobile devices and services are also rising sharply. Here are a few key developments everyone should know about.

Malware deliveries

Upon reviewing Android usage data for all of 2018, Google identified a rise in the number of “potentially harmful apps” that were preinstalled or delivered through over-the-air updates. Threat actors have figured out how to insinuate themselves into the processes that preinstall apps on new phones and push out OS updates.

Why did they go there? Instead of having to trick users one by one, fraudsters only have to deceive the device manufacturer, or some other party involved in the supply chain, and thereby get their malicious code delivered far and wide.

In a related development, OneSpan, a Chicago-based supplier of authentication technology to 2,000 banks worldwide, reports seeing a rise in cyber attacks targeting mobile banking patrons. “Popular forms of mobile attacks, at this point in time, include screen scrapers and screen capture mechanisms, as well as the installation of rogue keyboards,” said OneSpan security evangelist Will LaSala. …more