Vancord CyberSound

033 - The Mainframe

March 14, 2022 Vancord Season 1 Episode 33
Vancord CyberSound
033 - The Mainframe
Show Notes Transcript

Today, cyberattacks happen more frequently and with greater sophistication than ever before. Organizations around the world search for the right tools, policies, and procedures to avoid the consequences of system vulnerabilities and malware. 

In this episode of CyberSound, the team discusses recent cyber threats companies are facing, along with helpful commentary on how to defend against them.

Join Jason Pufahl, Steve Maresca, and Matt Fusaro, as they report on recent attacks involving the American Red Cross, why people should beware of cybersecurity threats during tax season, and how hackers prey on collaboration tools like Microsoft Teams.

Unknown Speaker  0:01  
This is cyber sound, your simplified and fundamentals focused source for all things cyber security with your hosts, Jason Kupol and Steven Mariska.

Jason Pufahl  0:11  
Welcome to cyber sound. I'm Jason boufal, joined as always by Steve Mariska and Matt Pissarro. Hey, guys. Hey, good, thanks. So I think we're going to try to do a regular segment now, where we talk a little bit about sort of current threats, relay a little bit information that we're getting from you really, from existing clients and your challenges that they're facing, that might be relevant to our listeners. So today, maybe starting a little bit with those sort of topics in the news, you know, threats that we're seeing, or, you know, sort of creative cyber attacks that are kind of new recently covered a couple of them here, when we were when we were kind of planning for this. And I think the one that probably jumped out first was, you know, the Red Cross, it seems like, you know, seems like an organization, you shouldn't, you probably shouldn't attack. But you know, anybody would start with kind of what happened there.

Steve Maresca  1:04  
Yeah, it's, it is interesting actually not to bring that out that they did attack the Red Cross, because there seems to be kind of an accord going around a lot of the threat groups where they don't attack these types of systems, but that this definitely was targeted right at the Red Cross. So their, their main headquarters is in Geneva. And I guess this is where they have a lot of their IT systems. This particular attack affected around 500 or 15,000, people that were receiving aid from the Red Cross. So what they're saying is that the this was, you know, the sophisticated attacker came in which I'll give them this one. Usually, we don't like when we hear sophisticated attacker, there's usually not much of a attribution toward them being sophisticated when we see the details. But apparently, there was a lot of like custom payloads that were created just for them. I guess a lot of the scripts were specifically targeting MAC addresses, custom software, things like that. So we'll give them the sophisticated one on this one. But apparently, so that this one had a dwell time of about 70 days or so. I think right now, what do we have 200 or so days that we're seeing in most organizations for dwell

Jason Pufahl  2:15  
time? Is that something? I mean, that's almost fast, then, you know, fast discovery in some way. 71 days, still a long time. But

Steve Maresca  2:20  
right, yeah, I mean, it really does solidify that, hey, these guys are usually here for a while, right before you actually find out what's going on.

Matt Fusaro  2:28  
And unfortunate for them, they they tripped over it when they were deploying an EDR system. So you know, it could have been a longer dwell time more in line with the average. But in this particular case, at least, they found it and were able to take steps to get rid of the actual attack. And the malicious actors, I think that the main takeaway is that it was at least associated with if not caused by a vulnerability. And you know, a lot of the time especially today, we talk about ransomware being initiated via phishing, it does not seem to be the case here. Interestingly, their disclosure buried quite deeply the platform that was affected, but this was managed engine at self service. So it's basically a tool used for people to manage their own passwords and that sort of thing.

Steve Maresca  3:13  
Right. Yeah, a tool of convenience that, you know, again, used against you. This is something we've seen in the wild to, you know, one of our incidents actually involved a similar system from from ManageEngine. Yeah, I think the, the takeaway here is, especially for things that are involving your identities, make sure they're patched, you got to stay on top of them. And I think they do admit a little bit even in the ICI ICRC, which is the Red Cross's organization. ICRC does say that, you know, we, we were trying to get to patching, we just didn't get to it in time. And then this is the result here, right?

Jason Pufahl  3:47  
So I imagine that then where you're splitting hairs around, well, being a sophisticated attacker, but at the same time, they used an existing vulnerability, right, which we see all the time. So I think your your attribution for the sophisticated pieces, really, that they created some custom, some custom scripts, or some custom content to exploit this.

Matt Fusaro  4:06  
Yeah, almost more targeted than sophisticated. There was some, some tools use that apparently are not available. You know, if you go to GitHub or other places you would normally find, you know, hacking tools or any type of malicious tools that you could find from like metal sploit, those packages that are out there. These are definitely tools that they develop themselves.

Jason Pufahl  4:28  
I mean, it certainly it does demonstrate that like you're nobody's immune to this, you can't look at and say, Well, my company doesn't have data that's important or my company operates in a space where you're there's this sort of tacit agreement that we're not going to they're not going to get targeted, like you know, everybody everybody's a target.

Matt Fusaro  4:42  
Social services organizations, like the Red Cross are compelling targets for these organizations because they tend to involve you know, identification, people, you know, lots of PII, medical records and things of that variety. Yeah, the data is valuable, right, right. Yeah, it was a multinational scope to so you hit that type of an orc, you get a lot of people across the world all in one fell swoop. So, I mean, it's attractive for your attacker. Not so not so pleasant if you're the organization.

Jason Pufahl  5:12  
So yeah, moving on maybe, you know, it's what made this February, late February. Tax season is upon us. And I think we're seeing some activity now with Intuit right?

Matt Fusaro  5:25  
Yep, absolutely. There's an attack that's ongoing over the last several weeks, I'd say where Intuit users are being. Fifth, it, you know, totally unrelated Intuit, itself Intuit, the company, and its platform, totally unrelated. But the message is that, you know, your accounts going to be suspended due to inactivity, you know, making people feel nervous, as they're getting ready to enter their taxes. So it's, it's timely, people are thinking about it, they're susceptible to it. And we wouldn't be entirely surprised to hear this occurring with the other agencies, tax prep organizations. Basically, in this case, it's a phishing email linked, invites the recipient to go to some website unaffiliated with Intuit, submits username, password and all of that now, what's the threat? Ultimately, if a threat actor has your username to a platform like that, you may be able to access prior tax returns down the line, submit fraudulent returns, get your return deposited in some, you know, banking mutual account, something like that. That's the arc of an attack like this.

Steve Maresca  6:34  
Especially the false filings that those those are pretty impactful to people because it does take a while to actually get corrected. And usually, you'll have to get some type of legal team on your side as well to fix all that. So it's definitely something to watch out for. But yeah, into it is the unfortunate target of this almost every year. Now at this point, there's always something new.

Matt Fusaro  6:56  
And it's just, it's just a market share thing. Certainly, it makes sense. There's not much else to it. Ultimately, it's, you know, the same message as usual. Watch your recipients make sure they're legitimate. And Roger, senders, make sure they're legitimate. And be wary of the links, you click in this in this case, it seems like there may have been some sort of a payload malware that was delivered, in addition to submitting credentials, it makes sense, you know, tax preparation, if you're doing it via your computer, you probably have some files local. I'm not too surprised there.

Jason Pufahl  7:28  
So I think one of the takeaways, though, is we don't want we certainly don't want people to hear this and limit their concern, maybe to intuit or no tax rate, or any of the companies that are like that, like, we've absolutely seen your larger, larger companies who run their own payroll, and your HR systems be targeted for almost exactly the same style of attack. Right. So I think that the message really is it's tax season, you'll probably get anxious, a little bit around tax season, regardless that the opportunity to fish people is really high. So pay attention, your internal systems, you know, if you're an individual user, of course, pay attention to some of those other sites that you might use for individual preparation.

Matt Fusaro  8:04  
Right. It's, it's the perfect storm for phishing, you know, urgency, some anxiety around it, you know, the call to action is present, and all of that whether you're dealing with the federal government, or tax preparers like so,

Jason Pufahl  8:15  
yep, state tax is happening every year. And then the gift of fishing taxes happens every year, for sure. So So moving on, and this is honestly the three this is the one that I think kind of gets makes my skin crawl more than anything else. Probably. The idea of your exposed credentials be used to in person impersonate somebody else through some of the common chat platforms. Right. So I think teams specific.

Matt Fusaro  8:42  
Yeah, this is a recent event that disclosed that teams is being used to actually distribute malware. Now the attack setup is pretty, pretty simple when you get down to it. But it is multistage starts with an initial user in an organization that uses collaborative tools like like teams being acquired through phishing, that user is then impersonated the attacker logs in and then subsequently does some organizational reconnaissance to figure out reasonable next targets. Now that the real interesting part of this particular attack that's been disclosed is the fact that messages are created to send to some other person in the org with an attached piece of malware or an attachment that is malicious in some other way. A link, you name it. Bottom line, though, is that the communication seems to come from a valid source, the impersonated individual, therefore, the recipient is more inclined to trust it because it comes through Microsoft Teams, it comes through an email alert that you miss the message. It's abusing those trusted relationships to get somebody to click.

Jason Pufahl  9:49  
So that the flow I'm curious, is it really just send a file and hope somebody downloads it? Or you know, is there a preamble, like you're sort of a conversation starter of some sort or do you have any thoughts? Good inclination of what that what that normally is looking like?

Matt Fusaro  10:02  
Yeah, I think it's gonna depend right on the attacker and who they're attacking. So there's a lot of opportunities there, right? If your team's platform allows you to attach files and, you know, send links and things like that, then all that's available to realize that the sky's the limit as far as what you want to do. But again, I think kind of the Steve's point, it's, you trust that person, because they you work with them, right? You have no reason to believe it's not that person sending you that message. So, you know, if you if you get a spreadsheet that says, you know, whatever it is, I don't know orders for this week, you're going to open it trusting that it's a good document. And that's where it's easy to just install macros, or have that be a separate type of payload.

Jason Pufahl  10:46  
It made it so difficult, I have no idea. You'll we tell everybody, you'll look at links in emails and you know, try to understand a little bit the language being used. But the reality is, that's a short form communication, you're usually getting maybe a sentence, it's hard, it's hard to discern tone, it's hard to sort of discern intent.

Matt Fusaro  11:04  
Yeah, this is where you have to rely on your identity systems at this point for this. And it's a shame that, quite honestly, Microsoft makes this somewhat unattainable for some companies, you need pretty high level of Microsoft 365 licensing to get things like your identity defender, you know, this is something that a risky sign on would probably catch, where they asked for multi factor or something like that, if they are coming from a different country, or if they're coming from somewhere that they don't typically come from that usually is marked. If you don't have that, then you're kind of susceptible to this.

And unfortunately, most orgs don't actually deploy those things, right. And at the end of the day, even if you don't work with, if the recipient doesn't work with the impersonated individual, they're probably going to try to be helpful and say, hey, you know, and I don't really know what this is, but maybe you want to go check with so and so. Which maybe means the attack is thwarted for the first recipient, but then they're being redirected to a better one. So, you know, just it's an abuse of trust, as usual. Now that we have other examples of this. We've heard of other collaboration platforms, starting with G that you'd recognize being used in a say, yeah, it's not teams, right? It's distributing messages without the Hey, it's from an external sender flagging an email, or using internal pathways that are trusted, same deal.

Jason Pufahl  12:27  
So you're this hits are your current sort of current topic piece? You'll how current is this that? I don't know that we've, we haven't managed an incident? I don't think that has had a collaborative tool issue as its genesis, right.

Matt Fusaro  12:41  
In this particular case, the team's news that was disclosed is as recent as February 17. So incredibly recent right? Now, obviously, I was referring to Google. Yeah, Google Groups, Google domain attack is, you know, also this month. So and not just one organization, this is across several, and it's a fairly public publicized attack, but same vector.

Jason Pufahl  13:03  
So that me, certainly something to keep an eye on that and to see how if they start getting used more and more prevalently. And the reality is, you know, I think we're better at detecting your traditional email based phishing. This is just another way of hopefully getting in front of somebody and sort of executing something based on under the basis of trust. So moving on a little bit, things that we're encountering, as we talk to clients, you know, for me, though, the thing that jumps out, for sure seems to be cyber liability insurance, right? We did, we did a whole episode, basically, on sort of the new requirements. I feel like every customer that we have is, is either renewing policies or maybe looking for new policies, right, and, and addressing some of the gaps that they have relative to some of the new requirements,

Matt Fusaro  13:51  
right. I mean, I have four or five applications that I'm facilitating for organizations right now, with different carriers, it doesn't really matter that the workflow is the same. Similarly, as an outgrowth of that we're dealing with implementations to resolve some of the things that cyber liability insurers have, you know, earmarked as requirements for getting the policy. MFA being a great example. It's a direct outgrowth of cyber liability. I don't have a count of how many customers we have doing that.

Yeah, it's been quite a few between the, between MSA EDR. Some some implementations, it's, there's been quite a bit that people were trying to get out there and be reactive and proactive based on you know, where they are in that cycle. But the the insurance requirements, definitely pushing quite a few projects in that direction.

Jason Pufahl  14:37  
So and, you know, they're, frankly, all reasonable things to implement. Right? If we go back a little bit to the team's discussion, we just had you pushing MFA and you're adding that second factor is a protector against something like that. So there's your there's good reason to do these and you understand why they're pushing it. It's just the timeframe for some of the some of the clients that we're seeing and the the time they need to actually deal with. This is pretty Sure, and so, you know, extensions are often being asked for or you're potentially even pushing for new a

Matt Fusaro  15:05  
little bit, right. And sometimes that's not possible things are co termed things, you know, and your end fiscal year end, it's coming up quick. For those orgs that are June based or may based for some edu, you know, the clock is ticking very quickly. Others have, you know, maybe a few months additional runway, but it's not a lot.

Jason Pufahl  15:24  
So outside of cyber liability, insurance, anything jump out to either of you

Matt Fusaro  15:30  
many requests from a policy and procedure standpoint, and, you know, a lot of them come from the we need policies, because we don't have them standpoint, realistically, you know, the policy development, policy implementation and policy, review it, we're seeing activity to all aspects of that. Some orgs have really well developed policy lifecycle management, others don't. But they're all beginning to recognize that the policies that they've left in draft form for five years really do need to be finished, or, you know, the policies that they didn't think about that outside entities are beginning to demand, you know, that the attentions understood and efforts being invested to actually resolving those issues.

I think some of that's coming from the fact that quite a few companies have come to us and said, Hey, we have money to spend right now let's let's do some projects. And policy tends to be one of those things that they kind of put on the backburner. A lot of people don't want to do it, right. But now they've got some money to go get some help to do it. I think a lot of it's coming out of the pandemic, I think companies are losing their purse strings a little bit to spend money on things that they haven't for a while. So that's why we're seeing some of

Jason Pufahl  16:39  
that. In fairness, you're having a documented, you know, documents into policies, your incident response, acceptable use maybe an information security plan of some sort, you know, that'll help drive your security program anyway. So there's a there's a real practical value for looking at your what do what your what do you want as an entity to look like from a security perspective? And then, you know, starting to starting to actually then do projects, in concert with your policy framework?

Matt Fusaro  17:05  
Right. And I think that the other concern behind that, and the other motivator is simply that they're two years of audits being suspended, and suddenly they're resuming they're kicking back. Yeah, so things are ramping back up. And the area of focus has shifted a little bit, given the freedom to operate from home, the loosening of employee procedures, onboarding, and so forth. Now, the policies are seen as the mechanism for enforcement and the mechanism for getting rigidity back on the table where it's maybe been surrendered for the last Yeah, cycles. These

Steve Maresca  17:39  
companies are fundamentally different now and how they work. So make sense of the policies would need to change to

Jason Pufahl  17:44  
Yeah, and I think we talked a little bit about trying to do a policies, podcasts, I think with with the challenge being how do you make policies really interesting for 15 or 20 minutes. But I'm confident, you know, even just walking through the common policy set that we're sort of being asked to create and assist with, I think would be valuable.

Steve Maresca  18:01  
So along with the dangers of overly prescriptive? Yeah, for sure. Or yeah, writing ones

Jason Pufahl  18:05  
that you can't comply with. Right. So you're writing and then you find you're out of compliance immediately. Yeah. So I think maybe security awareness, right. Could be one of the other things probably that I feel like all of a sudden, we're doing a bunch more. Possibly tied the cyber liability side a little bit, maybe also somewhat to the regulatory audit side. But people

Matt Fusaro  18:27  
are more comfortable getting in groups now. And to actually, yeah, that's fair have group base? Ah, yeah, I know, we're scheduling some right now, where there's some group based ones that we're doing, which hasn't been happening for a while.

Jason Pufahl  18:38  
Yeah, yeah. In the in person, we we generally focus on the in person, part of the training, which I think is great if you can manage it, but your the, the video based stuff can be can be good as well. So I think those are probably the sort of the three, kind of three things that jumped out, sort of to me over the last, I don't say month or two, cyber liability. I feel like you're driving driving some of the conversations. I think your point about audits kicking back up these wellmade for sure, as well,

Matt Fusaro  19:08  
right. I mean, that's what the background noise if your usual vulnerability assessments and things of that, right, but those are those are constants. Right? These represent somewhat new attention, I'd say. Okay,

Jason Pufahl  19:19  
that's fair. Well, I think that brings us up roughly against our time here. As always, thanks for joining us today. We hope you got some value out of this. But of course, if you want to continue the conversation, feel free to reach out to us at fancourt at LinkedIn, or fancourt security on Twitter.

Unknown Speaker  19:37  
Stay vigilant, stay resilient. This has been cyber sound