Episode #77 - It's Ransomware Season!

hello and welcome to the cyber rants podcast
this is your co host in zack fuller
joined by mike ortondo and laro chavez
today's topic
everybody's favorite ransomware
we'll dive into that
but first mike
i have a feeling you have some news about ransomware
i have some news about ransomware
but i thought i'd start us out with something really
exciting exciting insurance
i'm not even gonna bring up that
ohio state's paying arkansas state tomorrow at nine a m
so don't bring that up
don't bring that
with cyber insurance costs increasing
can smaller firms avoid getting priced out
cyber insurance is quickly becoming an unavoidable part
of doing businesses
more organizations
except the inevitability of cyber risks
such as those caused by ransommar
while other potential disruptions
benefit from stable insurance providers
with decades or even centuries of practice behind them
cyber insurance is a new field
that has proven hard to comprehend
in many cases
premiums have rapidly increased
and providers have become more cautious
about being left on the hook
for multi million dollar breaches
in addition to the cost of the premium itself
there's a growing tendency
for more complex policies
that make complicated demands of applicants
that contain more clauses that will avoid coverage
for example
firms may need to meet a very strict perspective
list of security solutions and precautions
to qualify for coverage
we may touch on that later in the podcast
keybank customer information stolen by hackers
by a third party provider threat
threat actors stole security numbers addresses
and account numbers of home mortgage holders at keybank
according to the associated press
the breach was allegedly caused by a third party vendor
providing multiple corporate clients
including keybank
with insurance services
according to ap
the hackers acquired the information on july fifth
after breaking into vendors computers
at the time of the writing
ninety five
keybank did not clarify
how many of its customers were affected by the breach
in the meantime
because there are still lawyers
there is a proposed class action
lawsuit over the data breach
the lawsuit highlights that
this type of personal information
can be utilized on its own
and in conjunction with other personal details
to perpetuate
perpetuate crimes against consumers
consequently
cause significant damage
their money
property credit
and reputation
the pseudo ledges
had defense properly maintain their systems and
adequately protected them
they could have prevented the data breach
i think the lawsuits
are going to become more and more prevalent as well
if they can prove um
negligence on the part of the companies being breached
that's something definitely have to be aware of
um stealthy linux malware
starts off small
but gradually takes control
a stealthy new form of malware's
targeting linux systems
and attacks
that can take full control of infected devices
and is using this access to install
crypto mining malware
dubbed shikata tigga
got lucky on that
the malware targets endpoints
and internet of things devices
that run on linux operating systems
and has been detailed by cyber security researchers
at amp t alien labs
the mower is delivered in a multi sage infection chain
where each mod will respond to the command
from the previous part of the payload
and downloads and executes the next one
by downloading the payload bit by bit
starting with the module
that is just a few hundred bytes
shikatiya can
avoid being uncovered by antivirus software
it's also used a polymorphic encoder
to make it more difficult to intact
and even more good news
there's a new evil proxy services
lets all hackers use advanced fishing techniques
reverse proxy fishing is a service
which is now dubbed pas
platform called evil proxy
has emerged
promising to steal authentication tokens to bypass
mfa on apple
google facebook
microsoft twitter
github godaddy
and even pi pi
whatever the hell that is
the service enables low skill threat actors
who don't know
how to set up reverse proxies
to steal online accounts
that are otherwise well protected
when the victim connects to a phishing page
the reverse proxy displays legitimate login forum
the forward
forwards request
and returns are responses from the company's website
when the victim
enters their credentials and mfa to the fishing page
they are forward to the actual platform server
where the users logged in
the section cookie is returned
however is the threat actors proxy
sits in the middle
it can also steal the sessions cookie
containing the authentication token
the thread actors can
then use the authentication cookie to log on the site
bypassing mfa
so we got that going for us
kunap patches
zero day used in new deadbolt ransomware
kunap is warning customers
of ongoing deadbolt ransomware attacks
that started on saturday
by exploiting a zero day vulnerability
and photo station
the company's patch
the security flaw
but attacks still continue
and then for those of you outdoor enthusias
two hundred thousand north face accounts hacked
and credential stuffing attack
outdoor apparel brand in north face was targeted
in a large scale credential stuffing attack
that has resulted in the attacking of a hundred ninety
four thousand nine hundred five accounts
on the north face dot com website
credential stuffing attacks
when thread actors use email address usernames
and password combinations obtained from data breaches
to attempt to hack into user accounts on other websites
the success of these attacks
the success of these attacks
relies on the practice of password recycling
where a person uses the same credentials
across multiple online platforms
i don't know if anybody that would ever do that
the financial stuffing attack on the north face website
began in july twenty sixth
and ended on august eleventh
they were able to stop it on august nineteenth
or excuse me
is discovered on the eleventh
stopped in the nineteenth
after investigating the attack
north face determined that the attackers
managed to breach close to two hundred thousand counts
including using valid credential potentially
accessing the following customer information
full name purchase history
billing address
shipping address
telephone number
gender password
their rewards account
and concreation date
last one shark botton malware resurfaces on google play
to steal user consoles
an upgraded version of the sharkbot mobile malware
has been spotted on google's play store
suggesting a new blog post by fox
it part of the ncc group
the new version of sharkbot reportedly targets
the making credentials of android users
via apps that have collectively counted
sixty thousand installations
the new dropper doesn't rely
on accessibility permissions
to automatically perform the installation
of the drop our shark pot mower
instead the new version asked the victim
to install the mower
as a faked update
for the antivirus
to stay protected against threats
um there's a couple other interesting headlines in here
second largest us school district
la usd hit by ransomware
china is accusing us of cyber attacks
um half of firms reports
supply chain malware
ransomware compromises
and moo bot
botnet is back
and targets vulnerable d link routers
there's a couple other things
and if you haven't heard
if you've been living in a box
google chrome
there was a zero day
released on september ninth
september fifth
so go ahead and update that real quick
so with that zach
very laura excuse me
yeah exactly
thanks mike
i appreciate it
this week for exploits
we've got really just one to talk about
for everybody out there
who is using the sofos firewall
if you've got the xg one one five
or even the xg one o five
if you're not familiar with these devices
are rack mount firewall appliance
from those however
version seventeen dot zero ten
has a authentication bypass border ability
which is really
really clever
if you send a j sauce string via the url
you can bypass the security web login of this appliance
and get administrative access to control the device
so for those of you running this firewall
make sure that you're not
presenting this web
interface for configuration to the public internet
and if you're
if you're only hosting it internally
it's not that big of a deal
probably one of your internal employees isn't
gonna try to pull this off on you
but go ahead and patch and get off
version seventeen dot zero dot ten
even if you've got the one o five
the xg one o five
good enough
that one too
just in case
i'm assuming
big assumption because the ios are similar
because this authentication by packs
works on the one fifteen
it'll probably work on the one o five as well
from that if you're running wordpress
playing the dangerous games
carrying yourself covered in meat
jumping in a pool of sharks
might want to check those
about fourteen plug ins
that have exploits available today
just from this last week
so i won't get into those
but if again
if you like to play
if you like to live on the razor's edge
make sure you're looking at your plug ins
and getting those updated
zach i guess we're gonna be talking about
some clever ways ransom word gets in
like wordpress
yeah yeah well
definitely update those sofas firewalls
now that you told everybody how to hack them so
spread the information right
now you got to jump on it quick
but really yeah
wordpress very dangerous
great game well let's
let's shift gears a little bit
and talk about ransomware
in just a moment
after a quick commercial break
we're back
we could have ran somewhere
i was thinking when i saw that article about
the la school district getting hacked
i felt bad for those kids
because they don't get snow days there
if they ever have a chance of getting a day off
it would be a ransomware attack
when all the computing systems are shut down
but they didn't even get the day off
they still had to go to school
so that's too bad
pull out the workbooks and like
take your pencils out kind of thing
you know go old school
everybody everybody riots
what's a pencil
they are racing
you mean delete the delete key yeah or the backspace
how do you write in
how do you write in cursive again
well that being said ransomware
always a big topic but it seems like they're seasons
it comes and goes and the news right and right
now it's in season
definitely ransomware season
also deer and elk season
depending on where in the country you are
but for ransomware purposes
sorry got weakened weakened brain going
but for ransomware purposes
let's talk a little bit about
some of the basics
i guess for maybe those people that are new to this
or just listening to this for the first time
interested in ransomware in general
and how to prevent it
let's talk about how it infects environments
to begin with
how does it get into your network
usually someone clicks on something
like an amazon gift card
you know there's
there's a yeah
i don't know
there's there's
there's a lot of ways
we could have a whole
whole episode
on just the deployment methods for ransomware
that they're using today
i think some of the things that you know
mentioned in the news
like evil proxy
is a great example of stealing user credentials
not quite ransomware but a
proxies like that can be used to deploy ransomware
there's trusted updates again
you know you get
just like the solar winds
orion as an example
they can take advantage of trusted software and then
fool you into believing you have a legitimate update
typically though i think
i think the lateral
i think the universal consensus on the most common
way that ransomware is going to infect your environment
is number one
a user clicks on something because the user got pulled
and number two
you expose something in it
that bypass change management
or that you weren't aware of
it gets the front door kicked in
so those are really you know kind of
i think the two main ways zach
that at least i see are the most common that you get
you get mal or you get ran somewhere
put in your structure
yeah and you know going back to
you know you talk about being the season
it's been amped up lately
you're getting everything from ace hardware
american express chase b of a
and then the fishing emails are looking really good
they're really close
to being an actual
i mean they look like they're using the actual
templates of b of a and everybody else uses
so you gotta be real careful out there
so double check your email
one of the things that
that's a dead giveaway for me
is if it doesn't have the right email account
if it's sending to an email account
that's not associated with that credit card
always double check where it's coming from
and who it got sent to
yeah absolutely mike
i think there's a lot of farming
if you're not
if you're not familiar with the term farming
if you're not
if you're not a video game guy
there's a lot of times you farm for assets
and one of the assets you can farm for
is email templates and email formats
and i think a lot of the way that this is happening is
you've got a bunch of would be sales emails going out
they look like they're from a legitimate company
they may be
but they're
they're asking you hey
do you need this service
do you need that service
you know i saw this
and then you reply to them with your email
with your business email
now they have your signature block
they have how you type
how you respond
that can go if
especially if you're a ceo or a cfo or some
some of you know
sea level executive and organization
and you respond to one of these emails and you're like
man stupid sales guy
you quit bothering me
and you send him a couple
email messages to get him off you
that could have been somebody farming
for your email template
and now they have your email address
your signature block
and now they can pervade themselves as you
but you know
i think first
maybe it would be a good idea to just
kind of talk about what the purpose of ransomware is
and why it's so prevalent today
you know this has gone well beyond the morris worm
of the eighties
where you know
it was all about
infecting a computer to try to mind data
no one cares about your data anymore
no one cares about your social security numbers
no one cares about the credit card numbers
you have you have computers that run your business
okay if you're
if you're operating in the united states today
or anywhere in the world
there's a ninety nine point nine percent chance
you're using some level of technology
to fund and front your business
okay whether that's a web page
or you've got active directory or anything else
okay so you depend
as a business in the twenty first century on technology
the ransomware cybercriminals
are going to extort you for money
again they don't care about your data sets
they realize your business leverages technology
they can take that away from you
hijack it and hold it for ransom until you pay
and this can include anything from
destroying your backups
so that you don't have a backup strategy
which is something we should probably talk about mike
right where the insurance requirement is saying
you need to have an air gap backup
okay they're saying air gap
meaning completely separate from your ethernet network
internal okay
completely no connectivity
because a lot of the ransomware games
will include destroying the backups
so that you can't come back
now you're typical horse
do that first
yeah yeah typically
that's usually the attack plan
get somebody to click on something
get the ransomware deployed
just located for the backups first
that's goal number one
locate destroy the backups
lock everything up with high encryption
and then send the demand letters through printers
they'll run your printer out of paper
printing the demand letters to go to the tour site
that they're going to host for you
for you to pay your ransom
and cryptocurrency yeah
don't know yeah
i mean it's something we preach
and there's a lot of people
they're like on it
you know they only keep their backups online
and they're all in the same instance
and it's a dangerous dangerous game
you know so
yeah i mean that's really it in a nutshell
i mean that's
that's where we're at
what we're seeing though
is it definitely a definite explosion of ransomware
which is why you know
that first story we talked about with insurance um
is becoming more and more expensive because
and and they're starting to have requirements
that used to be that if you wanted cyber insurance
so like you have a computer
do you have this side and the other thing
and it was a minor question there
now they're getting real serious about what they ask
and what they're
what they want and
you know you have to have mfa
you have to have
you know the password keepers are looking for
you know other things like that
well it was only a matter of time right
i mean because
you know just like driving a car
you're gonna get punished for being a bad
a bad driver
because the insurance company has to
eat all this money on the back end
and the same for cyber insurance if you're
if you're just
you know hobo joe and you decide
to build this you know
fake computer company to like
you know make some money
and you get
you get hacked
and you were
eligible enough initially to get cyber insurance
all of your bad practices
you know four or five years ago
you could do completely stupid stuff
and cyber insurance will cover you
while that only lasted for a long
you know a certain period of time
right now they're starting to catch on to the con
they're saying hey
these companies are behaving really badly
and we have to eat the cost of their mistakes no more
so now there's going to be
you know now they're starting to
and we've had
you know we've had experts on that
kind of you know
we've hinted at this before
but this is kind of an evolution
that we've kind of seen coming
were now if they can go to court with you
and prove that you were negligent
you didn't have multi factor enabled
you weren't
your gap in your backups
you were you know
you didn't align to iso twenty seven thousand one
or something similar
they're gonna show that your negligent
you're gonna be responsible for all the costs
okay and that's
if they don't
and if you lie about it
now they've got you for fraud too
in the court
right so when they call you on the stand
and you said
you know when you when you
when you went to
you know entertain the idea of getting insurance
and you answer a questionnaire you filled out here
that you had a line to this framework
and now we haven't found any evidence of that
so you know
so there's all kinds of bad things
that are gonna start falling out
because of cyber insurances
getting tired of fronting the bill
for stupid organizations who deliberately make mistakes
or they don't have the
just the sheer intelligence to go out and ask for help
they're costing these cybertrans companies
and costing you and our data right
data losses and service losses
and they're just
they're not gonna stand for that anymore
well i think we're also gonna see a larger
amount of lawsuits
like we're seeing with the north face one
you know class action lawsuit
for those two hundred thousand people
because of the negligence of the computer kind of
i think it was their vendor whoever it was
anyway those kind of lawsuits
or actually that's the one for key bank excuse me
those kind of lawsuits are gonna start happening more
more frequently
there was one that happened five or six years ago
was in a hotel chain and i can't feel life for me
remember it but it was a multi multi million dollar
the choice of settlement i want
i want to say radisson or something like that
but that may be choice
i don't remember
but it was a big lawsuit
and they lied their asses off
excuse my language of
about everything that they had in place
and you know
they're running deprecated hardware
and deprecated firewalls and
yeah stuff you
you're gonna be forced to be responsible
in order to just do business anymore
and i think it's the closest
the private sector is gonna come
closest to regulating
functionality and requirements for it security
the government's not going to do it they can't
they're too big
they can provide guidance
there's no way to enforce it
but the insurance companies
and the private sector certainly can't by fees
i've said it before and i'll say it again
you know technology has been almost free
relative to the
benefit that it provides and the income it can produce
for so many years
and now i see it as like a tax on using technology
you just gotta do these things
you gotta pay for it
there is no way around it
and to your point on insurance
it's not about getting discount or getting anything
i hear from top insurance providers
no you just don't get it period
if you don't have these things in place
so they're now required
it's been interesting
we've seen a shift in our business
where before it was all about hey
we want to do these things
because a client is requiring it
or because we have these compliance requirements
and now we're hearing more and more
well we have an insurance renewal coming up
so now we have to get these things in place
so it's really interesting
even just three years ago
cyber insurance was cheap
they weren't enforcing anything
and now wow
night and day difference
yeah night and day
well back to the ransomware
i mean and this is
this is a perfect
you know kind of exit way for the insurance talk
is that you know you again
you make a mistake
or a human makes a mistake
and you get ransomware deployed
and you get your backups destroyed
and now you're losing money
right if you've done
you know service level agreements
or operational level agreements that you've you've
you've got these
master service agreements with your customers that say
if we're guaranteeing
ninety nine point nine percent of time
well now not only do you have to pay the ransom right
because your systems are unusable at this point
now you've also got to think about
the downstream effect that's gonna happen
because now
you're not meeting your service level agreements
to your clients
if you're guaranteeing ninety nine percent up time
odds are you you
you have a clause in there that somebody agreed to
that pays out some money if you don't meet that
so there's a lot of
i'll say collateral damage
that can come just from a simple ransomware attack
and here's the thing
is that the ransomware authors
and the cybercriminals
don't have to really try hard these days
it's a matter of walking along a busy street
in new york
and lifting car handles
eventually you're gonna find one
that somebody didn't lock their door
cybercriminals are continually scanning
they're continually trying
it's a shotgun effect
they're eventually going to get something that works
and when they find something that works
just like anglers out there in the world
when you find
a fishing fly or a bait solution that works
you try to reuse it in that fishing spot right
cybercriminals are the same way
they're gonna realize
this is all research and development
on their perspective
they're gonna realize what works
they're gonna stick to that recipe
until it doesn't work
or until some works better
so again it doesn't matter if you got sensitive data
it doesn't matter if you
what matters is you got computers
that we can lock up and stop your business
if that if the answer to that
can you do business without your computers
if the answer to that is no
then you're susceptible to ransomware
just like anybody else
so it's time to stop
you know the
the i i saw that
the poisoning
thought process of
well i don't have anything cybercriminals want
so i don't have to develop
you know devoting any time to cybersecurity
or develop any cyber security programs
or risk management
because i'm just a simple computer company that's doing
you know x y and z
i don't have any
right that thought process has to completely leave
because again
if i took all your computers away today
could you function your business
if the answer is no
you're susceptible to ransomware
you should have a strategy in place
for how to prevent it
and at least proactive strategies in place for how to
keep top of mind
and keep your
your you know
your employees educated about not clicking on things
so it's super important
again you're gonna be paying it
and then the cyber insurance company is gonna cover
part of that cost
and then there's gonna probably be just
we were talking about
it was gonna be a big lawsuit on how you're negligent
and now you owe them that money back
or something even crazier right
where you owe clients money now
because you're you're
you were down for two weeks
it costs four times as much to fix an incident
and repair the damage from an incident
as it does to prevent it
and that's something a lot of companies would just say
you know we'll deal with it when it happens
it's like you guys just don't understand
and then for those of you who are listening to little
talking here and saying oh
well i'll just offload it to the cloud
it's not really a problem
it'll be their problem
that ain't how it works
because they're insured too
but if you're
if you have control over the security
of your cloud instance
and how you're managing authentication
and how you're developing your data and you
get ransomware in the cloud there
it's not their problem
it is your problem
it's an aws is not going to bail you out
and you got to look at those contracts real close
because they are not always responsible for security
they may be responsible for a firewall
they may be responsible for
you know something of that nature
but they are not responsible for
how you build your application and secure it
absolutely it's not like leasing a car right
i mean it's like technically it
it's yours but it belongs to the dealer and if you
if you go over the miles or
you know your store responsible for cleaning it
maintenance
the whole bit
mm hmm and yeah
it's if you
if you have an accident in that car
you're still liable
not the company that leased the car to you
right and so cloud compute works the same way
it's somebody else's computer that they're loaning you
for a period of time in terms of service
and you're responsible for the security of that system
exactly exactly
so yeah you gotta think of that
there's also another reason why cybercriminals break in
and there's a lot of mining for bitcoin still going on
they're trying to steal your compute resources
to mine for bitcoin
and that is definitely a thing
so yeah those are
yeah and those are more
those are more subvert
you know i think when they're
when they're using your resources to mine they
they want to not be caught
because you know
the whole premise is
is trying to get as many compute resources as you can
to solve the next
you know coin ledger problem right
so they're gonna
this can get installed
and so you know
the way to note this is if you notice your computer
acting slow during certain times
but even some of the more intelligent crypto miners
i've seen that will install as part of chrome
they're doing stuff at night
if you leave the computer on
they're operating from like
midnight to like six in the morning when nobody's awake
so they even
you know the ransomware gangs and
and the you know
the compute resource attack games
they all know americans kind of sleep schedule right
so they're gonna
they're going to enable their malware
and their crypto mining malware
to operate on the hours that we're typically sleeping
so my advice to everybody
if you're using a laptop
or even if you've got an old school desktop
with a plug in the back
just turn your network adapter off
when you're not using the computer
it's simple
you can right click
turn it off
if you've got a mac
it's even easier
you slide the button over
and now you're not on wireless anymore right
so now your computer
isn't attached to the network while you're not using it
so you you can have some control over
you might be able to stop the crypto miningware
but you can at least
you can at least make them compete
for their own computing resources
while you're doing your normal day to day job
and they're trying to mine crypto
while you're doing your banking
so there's always that
yeah or we just turn it off
there you go
turn it off and never start it again
and you will avoid somewhere
indefinitely
and just for those people out there that don't know
air gap does not mean wireless
just because there's air between the devices completely
that is it's in the cloud it's airgabbed
despite popular belief you know well it's
you know we laugh
but in all reality people
people are essentially lying on questionnaires or just
and sometimes out of you know
well meaning but just unknowing unknowing
situations where they think
oh well that makes sense to me
i'm just gonna answer it as
yeah i have that
here we go but uh
but it's an interesting topic
you know i think
i think ransomware is
is here to stay
i would i would say it's probably the most effective
methodology
for cybercriminals to do what they want to do
and what they want to do is make money
that's what most
the vast majority of cyber attacks are
financially motivated
i haven't seen the latest stats
but last time i looked it was well over eighty percent
the rest is that you get a little
some cyber warfare and activism and things like that
other types of attacks
but for the most part
just remember
and there's a book that we rant about this and a lot in
but just remember
these attacks are financially motivated
and if you make yourself a harder target
then you're worth
from a cybercriminals perspective
then you're in a good spot right
minimize their return on investment and you are good
well that being said
any other final words of wisdom on ransomware
or any other topics that come to mind for that matter
ohio state mike
anything else
oh wait i oh
my final thought is
yeah just to reiterate you know don't
don't have the illusion that you don't have anything
cybercriminals want
if you have compute for your business
and your business is making money they want money
this is all about money
it's all about getting the money
all about the benjamins as they say
so if they can do so and extort you for money they will
so be on your guard
like zach said be a hard target make it
make it hard for them
so it's not worth it
you don't have to outrun the bear
you just gotta outrun the guy you're there with
gotta run faster than the other guy
you don't have to have the most security
you just gotta be more secure
than the t mobile next door
yeah there you go
then bob's bait and tackle down the street
yeah yeah well
if your face
we brought up insurance
but if you're faced with one of these questionnaires
number one don't lie on it
number two put those things in place
it'd be good for you
anyway if you need some help
there's some great companies out there
i know of one in particular that's
extremely good at implementing controls like that
and three remember that ransomware
just because you have insurance
it's not going to get you all your money back right
so you know that that is not a protection either
that's a last worst case
you hope you never have to use it
what kind of kind of thing
so don't rest too comfortable
just because you're insured
ransomware can still get you
and then the insurance might say
we want to see receipts
we're not going to give you your policy
we want you to buy one chair
and then show us the receipt
and then we'll reimburse you for that
we want you to buy one or more router
and see the receipt
and then we'll reimburse you for that
so you might
you might be down a terrible road
and for the cfos out there that are just thinking oh
it's just gonna be a short ding on my stock prices
or evaluation of the company
it's not that way anymore
your insurance rates are going up
your you know reputation is going down
and you're susceptible to lawsuits now
so write that check
there we go
well thank you for listening to the cyber rants podcast
hope you enjoyed this episode
reach out to us cyberrants podcast com or on linkedin
or carrier pigeon whatever you like
and let us know what you're interested in hearing about
different topics
for the future
be sure to rate the podcast
subscribe share all those good things
and helps us spread the word
have a great day and we'll see you on the next episode