Looking back and forward, the view’s very nearly the same. Threats, threats and more threats. Teri Robinson reports.
Out with the old. In with the new. That’s the way the New Year works, right? Except in cybersecurity. The old threats never really go away as the devastating WannaCry, a new twist on an old bug, shows and new threats never, ever stop coming. Cybersecurity pros don’t so much usher out old threats as they just add new ones to the pile.
Likewise, it’s hard to peg just one issue or threat that dominated 2017. The year of ransomware (again)? The revenge of the open server? The nation-state strikes back? All those monikers, and more, apply…and will likely roar into 2018 as well.
Attack of nation states
Any doubt that nation-states had upped their (cyberwar) games was quickly dispelled in 2017 – as North Korea, China and Russia flexed their cyber muscles with the latter’s antics even prompting investigations by a handful of congressional committees and Special Counsel Robert Mueller into whether members of President Donald Trump’s campaign colluded with any nation-state operatives. The U.S. slid into the year on a wave of evidence from the intelligence community that Russia had interfered in the 2016 presidential election, after Fancy Bear and Cozy Bear hackers pilfered email and other communications from the Democratic National Committee (DNC) and other organizations and persons associated with the Democrats, which were leaked in a steady stream by WikiLeaks to discredit Hillary Clinton.
But that was only the beginning – over the course of the year, it became clear that Russia had declared all out war on U.S. election systems. Intel reports showed hackers tried to penetrate voting systems in at least 21 states.
The Russian government also turned to a tool that the Soviet Union had perfected during the Cold War – propaganda. Albeit, this time with a modern, high-tech twist.
After issuing repeated denials, Facebook revealed in late summer that an internal investigation found a Russian “troll farm” bought ads from the social media giant and apparently planted them, some in targeted markets, “to focus on amplifying divisive social and political messages across the ideological spectrum — touching on topics from LGBT matters to race issues to immigration to gun rights,” company CSO Alex Stamos wrote in a blog post.
The revelations also renewed questions as to whether members of the Trump campaign colluded with Russian operatives to influence the election results. “This is a very significant set of data points produced by Facebook,” the Washington Post quoted Rep. Adam Schiff, D-Calif., the ranking Democrat on the House Intelligence Committee, as saying after committee members heard from Facebook officials behind closed doors. “Left unanswered in what we received from Facebook — because it is beyond the scope of what they are able to determine — is whether there was any coordination between these social media trolls and the campaign. We have to get to the bottom of that.”
Sirota said the timing and circumstances of the ad spends are cause for further investigation. “What’s unusual about this revelation is that the effort started in June of 2015. Trump announced his candidacy June 16. This effort was organized and involved many people,” he said. “Somehow they were able to mobilize an organization and fake stories just as a candidate they liked took the stage. It could possibly be a coincidence, but as the Soviets used to say, there are no coincidences in politics.”
Noting that “Facebook describes several actions in their blog to curb foreign interference and abuse of its platform, including better anomaly detection and better verification of accounts,” Sirota says “this is a matter Facebook should take seriously, as most people now receive their news from their Facebook feed.”
Rocked by the accusations that it helped a Russian propaganda campaign designed to sow division in the U.S. and influence the election, Facebook and its social media peers all have unveiled transparency initiatives to prevent nation-states from compromising their platforms and to keep users and others informed as to where ads and other content originate. Facebook has attempted to make amends, in late October making good on a promise by CEO Mark Zuckerberg by unveiling changes to its advertising platform to boost transparency and authenticity.
“We’re going to make advertising more transparent, and not just for political ads,” Facebook Vice President of Ads Rob Goldman wrote in a blog post at the time, noting that transparency is critical to democracy.
Facebook says it will offer a tool that will let users view the pages and ads created by a Russian troll farm operating under the moniker Internet Research Agency. “It is important that people understand how foreign actors tried to sow division and mistrust using Facebook before and after the 2016 US election,” according to a company statement. “That’s why as we have discovered information, we have continually come forward to share it publicly, and have provided it to congressional investigators.”
The troubling revelations prompted members of Congress to introduce the “Honest Ads Act” to compel social media and online entities to adhere to the same political ad disclosure requirements as broadcasters.
“Malware, data collection and inappropriate content permeate the entire digital ecosystem with limited deterrence,” says Chris Olson, CEO of The Media Trust. “Until accountability for this troublesome activity is assigned to either the digital asset owner or the offending upstream party it will continue unabated.”
Ransomware never dies
Like Michael Myers, Freddy Krueger and a whole host of horror characters, barring decryptors, ransomwares never truly die.
“Malware, especially ransomware, seems to run in cycles,” says Derek Manky, global security strategist at Fortinet. “We’ll track a large number of triggers and exploit attempts for months. Over that time, a number of variants will be launched that either change the attack vector, improve the malware payload, refine its ability to avoid detection, or change how it communicates with its command-and-control server. They can lie dormant for a while, and re-activate in microseconds once attackers decide it is time to launch a new campaign.”
Just look at Locky, which debuted in early 2016 and soon after infected Hollywood Presbyterian Medical Center, triggering a scourge of similar attacks against the health-care industry. After a brief dormancy, the Necurs botnet pushed Locky heavily in April, and then once again in August with the two newest variants (as of this printing), Diablo6 and Lukitus.
Same goes for Cerber, a ransomware-as-a-service (RAAS) product, which has popped up frequently since it first came to light in 2016, sporting new features such as anti-detection and anti-sandboxing techniques, as well as the ability to steal cryptocurrency wallets and passwords.
“Every time it returns, it comes back stronger and smarter than ever,” says Manky. “Both Cerber and Locky now have a large number of variants that have been developed, and quite often there are several running simultaneously in the wild.”
The 2014 TorrentLocker has undergone at least five significant releases since 2014, according to Kaspersky Lab. “Its authors have made several major changes…and it is still spreading, although not as aggressively as Cerber and other ransomware strains,” says Ondrej Vlcek, Avast CTO and EVP and GM, consumer.
There are any number of explanations for why Locky, Cerber and even older ransomware programs seem to wax and wane in activity. One key reason is that the malware authors are using their downtime to improve their weapons, evolving them with new key features for the next round of infections.
“Each campaign reveals a new trick, and is responded to with a new counter-defense,” says Sean Sullivan, security advisor at F-Secure.
Sometimes, ransomware authors find fertile ground exploiting old bugs, which is what happened with WannaCry, which cut a swath of devastation around the world, beginning on May 12 and hitting more than 200,000 endpoints in more than 100 countries before it was stopped 48 hours later.
Attackers used advanced techniques to exploit a previously disclosed and patched flaw in the Windows Operating System – MS17-010 is also known as EternalBlue, targeting the SMB application-layer protocol which allows it to spread with great speed across shared network resources, says Limor Kessem, executive security advisor at IBM XForce.
The NSA had some ‘splaining to do. While IT administrators who did not implement Microsoft’s patch when it became available and the cybersecurity teams that were made aware of the vulnerability, but did not see it as a threat, bear much of responsibility for WannaCry, significant blame falls on the National Security Agency (NSA), which detected the flaw, but withheld that knowledge so it could use the vulnerability as a potential weapon. The NSA also has the dubious honor of not properly protecting its hacking tools thus allowing hacking group The Shadow Brokers to swipe and eventually reveal EternalBlue and DoublePulsar to the criminal world, for which they are assigned a fair share of the blame.
John Bambenek, threat research manager at Fidelis Cybersecurity, says that the WannaCry attack demonstrates the serious consequences that can occur when a nation-state’s zero-day exploit is leaked into the wild, even after a patch is developed. “This is the first time that a worm-link tool has been used in conjunction with ransomware that has created devastating impact against entire organizations,” he says. “Strong and swift patching would have helped mitigate this threat. It has undoubtedly captured the imagination of criminals who don’t want to hold individual machines ransom but to take entire organizations hostage and surely we will see much more of this in the coming weeks.”
Security expert Bruce Schneier, in Foreign Affairs article, decried the NSA for its role in detecting the flaw years ago, but choosing to “exploit it rather than disclose it.”
The government’s proclivity to keep software flaws stashed for use as potential weapons, rather than disclose them so they could be patched, bears a good part of the blame for the ransomware attack that knocked systems offline around the world, Schneier explains.
Despite the fact that the government has criteria in place on whether or not to disclose a software vulnerability, and despite an official statement from NSA Director Admiral Michael S. Rogers asserting that the government does in fact disclose 91 percent of the flaws it detects to the various vendors.
The argument was that the code was a powerful weapon in gathering intelligence and, further, that those within the NSA believed the flaw would not be discovered by others. But, countering that, Schneier cites two recent studies that showed that six to 20 percent of disclosed vulnerabilities are rediscovered within a year. And, “alarming” leaks from the CIA and NSA have too easily handed attack tools to criminals, he adds.
There was one positive aspect of the WannaCry scourge, Schneier admits: Once the NSA realized EternalBlue had been distributed, the agency notified Microsoft, which released a patch that limited the damage.
And, to avoid being felled by ransomware like WannaCry, keeping patches up to date is critical.
Too big for your breaches
That’s a lesson learned this year by a number of companies. Just when you think data breaches can’t get any bigger, scarier or more confounding, enter Yahoo, Equifax, and Uber. Those three companies are hardly the only ones hit hard by hackers, but they are among the most notable for the number of users affected and the potential damage done. We say potential because the extent of damage is still not known.
There’s not much more to say about this breach, than wow, three billion users! Really? A 2013 breach of Yahoo!’s network affected all three billion of the company’s accounts, Verizon Communications, which acquired Yahoo post-breach for $4.48 billion, announced in early October.
Yahoo previously said the breach, which was disclosed in December 2016, affected one billion accounts.
“Back when the breach was first disclosed, we noted that many large enterprises lack the necessary controls to limit unauthorized access. While this remains the case, a breach where virtually all Yahoo users are affected is unprecedented,” says Bitglass CEO Rich Campagna. “It’s difficult to imagine any circumstance in which an organization committed to security could have all network segmentation, policies, and security measures bypassed completely. Calling the incident “an epic failure,” Carl Wright, CRO at AttackIQ, says companies must “seriously, find protection failures before the adversary does.”
Yahoo has already felt the impact of the breach. “When the deal between Verizon and Yahoo was initially announced, we saw the direct impact that the breach had on the price of the acquisition,” said Campagna. “This goes to show that a seemingly small gap in security can be devastating and have prolonged implications for any business.”
A judge recently ruled that Yahoo will have to face the music in court for a series of data breaches.
It took Equifax 141 days to discover a breach that exposed the data of 145.5 million U.S. consumers with hackers likely accessing the credit monitoring firm’s systems in March, a full two months before Equifax originally said they did.
A confidential correspondence sent by FireEye’s Mandiant, which was brought in to investigate the breach, to some Equifax customers, says the initial “interaction” was likely March 10, according to a report in the Wall Street Journal.
The hackers, who exploited a vulnerability in Apache Struts, reportedly accessed the Equifax network by obtaining a user name after typing the “Whoami” command on one of the company’s servers and embarking on what one source told the Journal was a “monthslong reconnaissance mission.”
Lev Lesokhin, executive vice president of strategy and analytics at CAST, maintains that Equifax missed the opportunity to prepare for a breach but others should not. “The recent conventional wisdom is that it’s the human factor that’s the weakest point in security,” Lesokhin says. “But with sophisticated spear-phishing, this is no longer the case – businesses must ensure that the architecture itself is secure.”
The circumstances around the Equifax breach were heartening only because it appears that there were consequences for the company’s cybersecurity missteps. The company’s CSO and CIO were the first to go, followed by the retirement of CEO Richard Smith, replaced in the interim by Equifax’s president, Asia Pacific, Paulino do Rego Barros, Jr.
And Smith’s feet were held to the fire by the House Energy and Commerce Committee Subcommittee on Digital Commerce and Consumer Protection. The House Science, Space, and Technology and the House Oversight and Government Reform committee’s chairmen also sent Equifax a bipartisan letter on November 20 requesting a slew of additional information by December 6. The letter information regarding Equifax’s C-Suite, CIO, CSO and an accounting of how many people were impacted.
The IRS also yanked a lucrative contract that it had inked with the credit monitoring company while the markets seem to financially punish Equifax. The company reported that for its third quarter, ended October 31, it posted a net income of $96.3 million, down 27 percent from the same period in 2016, on sales of $834.8 million, which missed analyst’s estimates by about $11 million, according to Reuters. The company credited the income loss to customers that are holding back their business until Equifax can prove its systems are secure.
For more than a year, even as it negotiated with regulators in the U.S. over privacy infractions, Uber hid a massive hack that resulted in cyberthieves pilfering the personal information of 57 million customers and drivers and prompted the company to fire two executives, including its chief security officer, Joe Sullivan.
“We know that the two attackers accessed a GitHub coding site used by Uber software engineers, found a set of login credentials, and used those credentials to access an infrastructure account that handled computing tasks for the company,” says Corey Williams, senior director of products and marketing at Centrify. “Within that infrastructure, the attackers discovered the archive of rider and driver information.”
The information stolen in October 2016 included names, phone numbers and email addresses of the company’s customers, according to a report by Bloomberg.
Around seven million drivers had their data compromised – approximately 600,000 driver’s license numbers were compromised.
While Uber told Bloomberg it did not believe the purloined data was used in any way, the company did admit to paying the hackers $100,000 to get rid of it.
“Obviously, $100,000 is probably considered “cheap” these days,” says Chris Roberts, chief security architect at Acalvio, who expressed dismay that “one of our own” orchestrated a cover-up. “The company keeps it reputation (for whatever it’s worth in the case of Uber), the company can keep doing what it does (using risky applications) and the hackers get a decent payday and can move onto the next target and see if they can do the same to them as they did to Uber.”
Which begs the question are there so many open AWS servers?
Among the many issues the Uber breach brought to light in 2017 was the apparent tendency of organizations to leave AWS servers housing sensitive information open to the public.
From Viacom (parent of MTV, Comedy Central, Paramount and others) and Verizon to Patient Home Monitoring, the National Credit Federation and U.S. Army Intelligence and Security Command (INSCOM) – INSCOM! – publicly downloadable Amazon Web Services S3 cloud storage buckets containing confidential data apparently are all the rage.
UpGuard Director of Cyber Risk Research Chris Vickery, who has discovered the bulk of the open servers recently, came across an Amazon Web Services S3 cloud storage bucket within the AWS “inscom” subdomain, and set to public, on September 27. The main repository contained 47 viewable files and folders; three were downloadable and confirms the contents as “highly sensitive nature,” according to an UpGuard blog post .
“Among the most compelling downloadable assets revealed from within the exposed bucket is a virtual hard drive used for communications within secure federal IT environments, which, when opened, reveals classified data labeled NOFORN – a restriction indicating a high level of sensitivity, prohibited from being disseminated even to foreign allies,” wrote researchers at UpGuard who revealed the Pentagon’s latest exposure. “The exposed data also reveals sensitive details concerning” the DCGS-A.
Tech advances have leapt ahead of security, creating gaps for organizations. “The market’s investment in services and tools to automate business processes without incurring heavy maintenance costs has outpaced investment in the methods to secure them,” says Threat Stack CSO Sam Bisbee. “Sometimes it’s safer to bring commoditized systems that are likely to leak sensitive information, such as log aggregation, into your own environment since they have become to cheap to maintain.”
Bisbee says that the proliferation of services like GitHub and AWS S3 should drive organizations of all sizes to “understand whether the services they use to store data are in fact risk-appropriate for the type of data they put into them.”
In with the new
Looking back at 2017 most certainly gives more than a hint as to what’s to come. (Check out SC Media’s prediction section online to see what security pros have pegged for the coming year
The new year is likely to ring more of the same – ransomware, ransomworms, breaches, leaks from open AWS servers and nation-state attacks will all rise in the coming months, as will other threats and issues.
As cryptocurrencies grow in value researchers, cybercriminals are adapting old drive-by download-style attack methods to mine cryptocurrencies instead of using them to inject traditional malware leading some to believe it’s an alternative to more devastating attacks.
Silent Monero miners and other cryptocurrency miners have grown in popularity in the second half of 2017 and have been used on site as companies ranging from Showtime to Pirate Bay.
These same methods were once used to download malware and now are being used to download cryptominers leading Palo Alto researchers to believe at least some cybercriminals are starting to view these attacks as a better business proposition than the traditional practice of loading malware on the victim’s system via drive-by downloads, Palo Alto researchers said in an October 17 blog post.
Researchers analyzed more than 1,000 sites that employed these attacks and found that five of the sites ranked in the top 2,000 of sites, 29 sites in the top 10,000 and 155 sites in the top 1 million, according to Alexa ratings. Furthermore, they found that these malicious and compromised sites resolved to 47 different counties with the majority being in the United States, the report said.
The majority of identifiable victims came from the eastern and western parts of the U.S, and of the malicious and compromised domains that were spotted, download and .bid domains accounted for the majority, comprising more than 35 percent of these sites. .com and .review tied for third with 13 percent of the sites each.
“This is such a new development that it’s still getting its footing,” senior threat communications manager Christopher Budd says. “One particularly interesting angle for future developments is the impact of cryptocurrency prices on this.”
Although cryptocurrency mining attacks have existed since at least 2013, Recorded Future researchers noted the cryptocurrency miners enjoyed a surge in popularity during the second half of 2017. Recorded Future researchers identified 62 different types of mining malware offered for sale across the criminal underground, however, due to low productivity of individually infected machines, the majority of all currently available miners will only target x64 systems, the report said.
Billions of Bluetooth devices, including those running on Android, iOS, Linux, and Windows, contain major vulnerabilities that can allow malicious actors to remotely execute code, take over devices, and perform man-in-the-middle (MITM) attacks, researchers have reported.
Dubbed BlueBorne, the collection of vulnerabilities – eight in total, three of which are critical – was discovered by researchers from Internet of Things security company Armis. The flaws potentially impact at least 5.3 billion Bluetooth-enabled devices, including computers, smartphones, and IoT devices such as watches, smart TVs, and some automobile systems.
Because phones compromised via BlueBorne bugs can quickly infect nearby devices over the air, attacks can quickly spread like wildfire, creating potentially unprecedented scenarios. Between April and August 2017, Armis researchers contacted Apple, Google, Linux, and Microsoft Corporation to disclose the various BlueBorne vulnerabilities. In response, Google has developed a patch for Android 6 and 7 devices, and has notified its manufacturing partners of the update.
Microsoft released a security update back in July that addressed BlueBorne vulnerabilities in devices running on all supported Windows versions. The Linux kernel security team has confirmed that it will release a patch as well, but there is confirmation on when this will happen.
And Apple is well ahead of the game, as the BlueBorne vulnerability Armis researchers discovered was fixed with in version 10 of the mobile OS.
Of course, despite the rosy predictions by White House lawyer Ty Cobb, the Russian probe will spill over well into 2018. It remains to be seen how the plea struck by former National Security Adviser Michael Flynn will change the tone and pace of the probe. But the revelations that Russian hackers have meddled in not only the U.S. presidential elections but also those in France, Germany and the U.K. promises to keep election security front and center in the future.
Social media companies will continue to take steps to ensure the transparency of ads and other content. There are also efforts in Congress to modernize and harden the security of voting systems.
Two Democrats leading the Election Security Task Force have asked the House Appropriations Committee to carve out $400 million “desperately needed” to help states. Some of the current machines used “rely on operating systems like Windows XP or Windows 2000 which pose a particularly security risk as those systems either do not receive regular security patches or have stopped receiving support altogether,” lawmakers wrote.
A U.S. intelligence bill that recently passed committee in the Senate contains key provisions designed to defend the electoral process from Russian meddling and other foreign interference, as well as curtail any White House effort to form a joint cybersecurity unit with the Kremlin. The Intelligence Authorization Act for Fiscal year 2018 forbids the U.S. government from using federal resources to form a cyber partnership with Russia, unless the Director of National Intelligence (DNI) submits a report that congressional intelligence committee members can review 30 days in advance of such a pact.
If the Global Data Protection Rules (GDPR) had been in effect during the latest Uber hack, the ride-sharing company would have faced stiffed consequences – or maybe it would have chosen a more prudent, secure route by promptly revealing the attack that compromised the personal data of 57 million customers and drivers, and by taking steps to mitigate the damage.
GDPR, which takes effect next May, is “designed specifically to deal with such occurrences. Under [GDPR], Uber would have had to notify the regulator within 72 hours of being aware of the hack. And assuming the regulator found them in breach of the regulations, they would have to pay a fine of four percent of global annual turnover, or 20 million Euros, whichever is higher,” says Dean Armstrong QC, cyber law barrister at Setfords Solicitors, which could add up to “tens of millions.”
However, a recent study found 37 percent of global organizations are unsure if they need to comply with the European Union’s General Data Protection Regulation (GDPR) standards.
Fortunately some are taking note of their shortcomings with 48 percent of respondents’ organizations reporting they are seeking or might seek assistance from an outside party.
It’s not all gloom and doom, though…
GDPR, for example, gives organizations the opportunity to assess the way they handle data as well as how their businesses use data. And 2017 saw the emergence of serious initiatives to make cities like Austin smarter and lay the groundwork for better cybersecurity.
With so many threats, alerts, etc., from all sides, security pros are in desperate need of a “silver bullet” to assist them in spotting threats before damage is done. AI and machine learning will one day play a powerful role in keeping systems safe.
Conducting cybersecurity operations, both today and in the future, is simply not possible without using artificial intelligence and machine learning. Mainly because the traditional method of having human-led teams trying to wade through mountains of data looking for inconsistencies is simply unworkable in an age when cyberattacks are launched every minute of the day.
“We need AI and machine learning to give us insight into what is happening, it’s simply too much for humans,” Brendan O’Connor, ServiceNow’s Security CTO, said at Securing Breakthrough Technologies – The Next Five Years panel held during the National Cybersecurity Alliance and NASDAQ Cybersecurity Summit in Manhattan .
On that same panel, Rick Howard, Chief Security Officer (CSO) for Palo Alto Networks, pointed out that not too many years ago artificial intelligence was nothing more than a science fiction film plot device used to entertain the audience, but now it, along with machine learning, are actual tangible tools.
AI can deliver consistency in other areas. “Say once an AWS S3 server is set up correctly, AI will ensure that it always is done so,” said Rich Baich, Wells Fargo’s CISO, enterprise information security.
Still, there are some roadblocks to fully implementing AI, most importantly, not all humans trust the results.
Ron Zalkind, Cisco’s CTO of cloud security, said AI does work, is scalable and can determine if a data file is bad, but “there remains a gap where humans still have to learn to trust AI.”
There’s also evidence that Congress is becoming more aggressive in trying to harden the U.S. cybersecurity posture – judging by the number of proposed bills that made their debut in 2017. And even the executive branch, which has famously pushed back against the idea that Russia attempted to influence the election, seems to be taking cybersecurity more seriously, recently nominating a cybersecurity expert, attorney Kirsjten Nielsen, formerly Chief of Staff Gen. John Kelly’s top aide at the Department of Homeland Security (DHS), to head DHS.
Nielsen followed Kelly from DHS to the White House, becoming his principal deputy chief of staff and helping him tighten up the West Wing. Her expertise includes homeland security policy and strategy as well as cybersecurity, critical infrastructure and emergency management, according to a White House post. She was senior legislative policy director for Transportation and Security Administration in DHS under President George W. Bush.
The appointment “is a smart move. In the past decade, the government has elevated cybersecurity to a federal-level discussion but the recent departures of several cybersecurity advisors and the lack of a federal CISO appointment were worrying,” says Netskope CEO Sanjay Beri. “By appointing Nielsen, who’s cybersecurity expertise is needed now more than ever as the country faces threats from hacktivists and state-sponsored malicious actors, the Trump administration is showing it’s making the necessary efforts to get more cyber leadership in the government.”
Rep. John Ratcliffe, R-Texas, praised Nielsen’s work at GWU’s Center for Cyber and Homeland Security and “her strong focus on critical infrastructure protection, cybersecurity and emergency preparedness. “In addition to her previous experience at DHS under multiple administrations,” says Ratcliffe, chairman of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection.
And that’s some good news for cybersecurity pros who will see new threats pile on top of 2017’s still unresolved woes.