Lessons from the cyber frontline

Very few weeks go by without news of another cyberattack or data breach and a quick scan of the BBC news website shows that most months there is at least one story making headlines. nationals. While just a few years ago many cyberattacks went unnoticed by the public and quietly swept under the rug, legal obligations to report breaches along with the power of social media means the world knows about them. Like most news, today’s headlines are tomorrow’s bullet paper, but for those directly involved it lasts a long time, while the rest of us should seek and learn how to prevent same things happen again. Below is a selection of some infamous cyberattacks for a quick look at how the criminals managed to wreak havoc and how they could have been avoided.

solar winds

Very few people outside of the tech community had heard of SolarWinds until late 2019, when cybercriminals gained access to SolarWinds’ network. They spent some time moving around and investigating the network landscape before testing an injection of malicious code into the Orion platform, a network management system used by government organizations and enterprises to manage their resources. computers. In February 2020, the code known as Sunburst was released, and the following month, SolarWinds unknowingly sent updates to Orion software, which included the Sunburst malware.

This massive supply chain attack has been installed by more than 18,000 organizations, allowing attackers to gain access to SolarWinds customer computer systems. From then on, they were able to install other malware so that they could spy on the target organizations and cause major problems. According to SolarWinds, the resulting attack, recovery and fallout cost $40 million in the first nine months of 2021, while a survey of SolarWinds customer IT decision makers found that the impact Average financial attack was 11% of annual revenue, or about $12. million per company.

Travelex

In December 2019, exchange company Travelex was targeted by ransomware group REvil. The hacker group encrypted Travelex’s network and made copies of 5 GB of personal data. If Travelex didn’t pay the ransom, they threatened to release the data publicly. It is likely that the cybercriminals were hiding on the Tavelex network before launching their ransomware, having gained access via an unpatched VPN (virtual private network). Travelex reportedly paid around $2.3 million in ransom and the combination of trade disruptions and the COVID-19 pandemic forced the world’s largest currency exchange to go into operation.

Equifax

For two months in 2017, US credit bureau Equifax was the subject of a massive data breach, where information relating to millions of customers was stolen. The company was first hacked through a consumer complaint web portal, with the cybercriminals using a widely known vulnerability that should have been patched but, due to failures in Equifax’s internal processes, was not. .

The attackers were then able to move to other servers, largely because they were able to find usernames and passwords stored in a plain text file which then granted them access. The data was pulled from the network over a long period of time so that no significant data movement could be detected. In total, hackers stole the personal information of 147.7 million Americans from 48 Equifax servers over 76 days before being detected. The information has also been encrypted by the cyber criminals so that their theft will not be detected.

The subsequent financial impact on the organization was enormous, not to mention jail time for the CIO who sold $950,000 of company stock before the data breach became public knowledge. In February 2020, the US Department of Justice announced charges against four Chinese military-backed hackers in connection with carrying out the attack.

Edward Snowden – the inner work

In 2013, the now infamous Edward Snowden stole documents from the US NSA and handed them over to journalists – and presumably governments – in a bid, he says, to expose the US government’s spy apparatus. According to cyber firm Venafi, as an administrator, Snowden was able to create digital certificates and cryptographic keys that were undetected by the NSA. Using these keys, he was able to access the systems and then locate the files he wanted to steal.

For exfiltration, Snowden transferred the data over encrypted channels to its own external file share using self-signed certificates. So as far as the NSA was concerned, these signed transmissions were safe and authorized and allowed to pass unquestioned. He was able to simply copy data from the network to removable drives.

NHS 111

Most recently, in August 2022, a cyberattack on NHS provider Advanced, the company that provides digital services for NHS 111, targeted the system used to refer patients to care, including ambulance dispatch, emergency prescriptions and after-hours appointment bookings. .

The attack was allegedly due to ransomware, which was allegedly the result of phishing. Once the ransomware was inadvertently run, it may have been running in the background, exfiltrating data before attackers disabled network systems, alerting the business to the attack.

Lessons learned?

For SolarWinds, since software such as Orion is built using components from multiple sources, a software bill of materials (SBOM) should have been used. This is a way to list and verify all components so that unwanted components can be quickly identified and removed. Additionally, keeping all source code encrypted per file and per user would have prevented any unauthorized hacker from accessing the code files.

In the case of Travelex, patching the VPN would have been a significant hurdle for cybercriminals, but the ransomware could easily have been deployed using other techniques such as phishing. An “allowed list” approach to application control would have blocked the ransomware, even if it had been disguised. Application control, which uses whitelisting, ensures that a system will only run processes on the allowed whitelist. All other processes are blocked. In a business environment, we know exactly what needs to be running on a machine. This approach is therefore both simple and very effective. For SolarWinds customers, deploying application control that uses whitelisting would have prevented attackers from running the malware they installed after gaining access to each customer’s network.

In the case of Equifax, the consumer complaints web portal should of course have been fixed, and no administrator or other user should have stored usernames and passwords in a freely accessible file. While in most organizations it is highly unlikely that the whole series of mistakes will happen, we all make mistakes. Systems cannot always be patched immediately due to conflicting system dependencies; and users – and administrators – sometimes do unexpected things.

All of these examples show the need for full off-network backups and better cybersecurity training, but also that we should always assume that a cybercriminal can always access the network. It is therefore important to protect the data itself. This means all data all the time, no matter where it is stored or copied. By using file-level encryption to encrypt all data everywhere, the Equifax data breach reportedly resulted in a story that only lasted days, rather than years. If all of their data had been encrypted so that once exfiltrated it remained encrypted, attackers would have stolen terabytes of completely useless data.

The same approach would have thwarted Snowden. If the encryption system provides each user with their unique encryption key, Snowden could have done its job – even moving files around – but completely unable to decrypt and access the information.

20:20 Hindsight is a wonderful thing, but if we are to derive any benefit from these cyberattacks, we need to learn from them and look for new ways to protect our data and not just keep building more layers of defense to prevent people to enter.

Leave a Reply