Lessons From The Cyber Front Line

Uploaded on 2022-10-05 in NEWS-Cybersecurity News, FREE TO VIEW

Very few weeks go by without news of another cyber attack or data breach and a quick scan of the BBC news website shows that in most months, there is at least one story that makes the national news headlines. While just a few years ago, many cyber attacks would go unnoticed by the public and quietly swept under the carpet, legal requirements to report breaches along with the power of social media, means that the world gets to know about them.

Like most news, today’s headlines are tomorrow’s chip paper, but for those directly involved it lives on for a long time, while the rest of us should be looking and learning to stop the same things happening again. Below is a selection of some infamous cyber attacks for a quick refresh as to how the criminals managed to wreak havoc and how they could have been avoided. 

SolarWinds 

Very few people outside of the tech community had heard of SolarWinds before late 2019 when cyber criminals gained access to the SolarWinds' network. They spent some time moving around and investigating the network landscape before testing a malicious code injection into the Orion Platform - a network management system used by government organisations and businesses to manage their IT resources. In February 2020, the code known as Sunburst was let loose and the following month, SolarWinds unknowingly sent out Orion software updates, which included the Sunburst malware.

This massive supply-chain attack was installed by more than 18,000 organisations, enabling the attackers to access SolarWinds' customers' IT systems. From that point, they were able to install further malware so they could spy on target organisations and cause major problems. According to SolarWinds, the attack, recovery and ensuing fallout cost $40 million in the first nine months of 2021, while a survey of IT decision makers across SolarWinds customers found that the average financial impact of the attack was 11% of annual revenue or about $12 million per company.

Travelex 

In December 2019, the Travelex foreign exchange company was targeted by the REvil ransomware group. The hacker group encrypted Travelex's network and made copies of 5GB of personal data. If Travelex didn't pay the ransom, they threatened to publicly publish the data. It's likely the cyber criminals were lurking on Tavelex's network before initiating their ransomware, having gained access via an unpatched VPN (Virtual Private Network). Travelex reportedly paid around $2.3M in ransom and the combination of business disruption plus the COVID-19 pandemic forced the world’s largest foreign exchange bureau into administration.

Equifax

For two months during 2017, the American credit bureau Equifax was subject to a massive data theft, where information relating to millions of customers was stolen. The company was initially hacked through a consumer complaint web portal, with the cyber criminals making use of a widely known vulnerability that should have been patched but, due to failures in Equifax's internal processes, wasn't.

The attackers were then able to move to other servers, due in large part because they were able to find usernames and passwords stored in a plain text file that then allowed them access. Data was pulled out of the network over a long period of time so that no large data movements could be detected. In total, the hackers stole the personal information of 147.7 million Americans from 48 Equifax servers over 76 days, before they were detected. The information was also encrypted by the cyber criminals so that its theft was not spotted.

The subsequent financial impact on the organisation has been massive, not to mention the jail term for the CIO who sold $950,000 worth of company shares before the data breach became public knowledge. In February 2020, the U.S. Department of Justice announced charges against four Chinese military-backed hackers in connection with carrying out the attack.

Edward Snowden – the inside job

In 2013, the now infamous Edward Snowden pilfered documents from America’s NSA and gave them to journalists - and probably governments - in an effort, he claims, to expose the U.S. government spying apparatus. According to cyber firm Venafi, as an administrator, Snowden was able to create digital certificates and cryptographic keys undetected by the NSA. Using these keys, he was able to gain access to systems and then locate the files he wanted to steal. 

For exfiltration, Snowden transferred the data over encrypted channels to his own external file share using self-signed certificates. So as far as the NSA was concerned, these signed transmissions were safe and authorised and allowed to pass unquestioned. He was able simply to copy data from the network to removable drives.

NHS 111

Most recently, in August 2022, a cyber attack on NHS supplier Advanced, the firm which provides digital services for NHS 111, targeted the system used to refer patients for care, including ambulances being despatched, emergency prescriptions and out-of-hours appointment bookings. 

The attack was reportedly due to ransomware, thought to have been the result of phishing. Once the ransomware had been inadvertently executed, it may have been operating in the background, exfiltrating data before attackers disabled systems in the network, alerting the company to the attack.

Lessons Learned?

For SolarWinds, since software such as Orion is built using components from multiple sources, a Software Bill of Materials (SBOM) should have been used. This is a way in which all the components may be listed and checked so that rogue components can quickly be identified and removed. In addition, keeping all source code encrypted on a per-file, per-user basis would have blocked any unauthorised hacker from being able to access code files.

In the case of Travelex, patching the VPN would have been a significant block to the cyber criminals, but the ransomware could easily have been deployed using other techniques such as phishing. An ‘allowlisting’ approach to application control would have blocked the ransomware, no matter how well it had been disguised. Application control, which uses allowlisting ensures that a system will only run processes that are on the authorised allowlist. All other processes are blocked. In a business environment, we know exactly what should be running on a machine, so this approach is both simple and highly effective. For SolarWinds customers, the deployment of application control which uses allowlisting would have prevented the attackers from running the malware which they installed after having gained access to each customer’s network.

In the case of Equifax, the consumer complaint web portal should of course have been patched, and no administrator or any other user should have stored usernames and passwords in a freely accessible file. While in most organisations it is highly unlikely that the whole series of errors would all happen, we all make mistakes. Systems cannot always be patched immediately because of conflicting system dependencies; and users - and administrators - sometimes do unexpected things. 

All these examples show the need for comprehensive off-network backups and better cyber security training, but also that we should always assume that a cyber criminal may always gain network access.

So, it’s important to protect the data itself. This means all of the data all of the time, no matter where it is stored or copied. Using file-level encryption to encrypt all data everywhere, the Equifax data breach would have resulted in a story which lasted just a few days, rather than years. If all their data had been encrypted so that when exfiltrated, it remained encrypted, the attackers would have stolen terabytes of completely useless data.

The same approach would have thwarted Snowden. If the encryption system provides each user with their unique encryption key, then Snowden would have been able to do his job - even moving files around - but completely unable to decrypt and access the information.

20:20 hindsight is a wonderful thing but if we are going to gain anything from these cyber attacks, we need to learn from them and look at new ways of protecting our data and not simply carry on building up more layers of defence to prevent people from getting in. 

Nigel Thorpe is Technical Director at SecureAge

You Might Also Read: 

Who Can You Trust With Your Data?:

 

« Why Companies Need A Next-Gen Approach To Business Continuity
Modernising SecOps: It’s Time To Unpick The Complex Matrix »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

iTrinegy

iTrinegy

iTrinegy is a world leader in Application Risk Management offering solutions to mitigate all networked application deployment risks

MailXaminer

MailXaminer

MailXaminer is an advance and powerful email investigation platform that scans digital data, performs analysis, reports on findings and preserves them in a court validated format.

Seric Systems

Seric Systems

Seric is a technology business specialising in security, infrastructure and data management.

Communications Authority of Kenya

Communications Authority of Kenya

The Authority is responsible for facilitating the development of the information and communications sectors including; broadcasting, telecommunications, electronic commerce and cybersecurity.

TeskaLabs

TeskaLabs

TeskaLabs is a software vendor of cybersecurity and data privacy products.

Kippeo Technologies

Kippeo Technologies

Kippeo is a security systems integrator providing innovative solutions that look at all the parameters and connect all the dots.

Centre for Multidisciplinary Research, Innovation & Collaboration (C-MRiC)

Centre for Multidisciplinary Research, Innovation & Collaboration (C-MRiC)

C-MRiC collaborates on initiatives, ranging from national cyber security, enterprise security, information assurance, protection strategy, climate control to health and life sciences.

Upper Peninsula Cybersecurity Institute - Northern Michigan University

Upper Peninsula Cybersecurity Institute - Northern Michigan University

Upper Peninsula Cybersecurity Institute at Northern Michigan University offers non-degree and industry credentials relevant to emerging careers in cybersecurity.

Syndis

Syndis

Syndis is a leading information security company helping to defend organizations by providing bespoke services and innovative security solutions in the global market.

e-Careers

e-Careers

e-Careers is an edtech institution that provides industry recognised courses and up-skilling solutions to individuals and organisations.

Cider Security

Cider Security

Cider Security - It’s time to revolutionize the way Security, Dev and DevOps teams work together to supercharge security at the speed of engineering.

SecurityLoophole

SecurityLoophole

SecurityLoophole is an independent cyber security news platform with global coverage. Latest updates, reports, news and events related to cyber security.

Box

Box

Box is the Cloud Content Management company that empowers enterprises to revolutionize how they work by securely connecting their people, information and applications.

ZeroGPT

ZeroGPT

ZeroGPT.com stands at the forefront of AI detection tools, specializing in the precise identification of ChatGPT-generated text.

Siguria Kibernetike (Cyber Security)

Siguria Kibernetike (Cyber Security)

Siguria Kibernetike is a company based in Tirana that offers full service in the field of cyber and physical security.

EK3 Technologies

EK3 Technologies

EK3 Technologies mission is to provide comprehensive cybersecurity and IT solutions that allow our clients to focus on sustaining their business.