Cyber Security Today, Week in Review for the week ending Friday June 30, 2023

Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, June 30th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

In a few minutes Terry Cutler of Montreal’s Cyology Labs will be here to discuss four recent news stories. But first a look back at some of the headlines from the past seven days:

Canadian oil and natural gas producer Suncor spent much of the week recovering from a cyberattack. Drivers couldn’t pay for gas by credit cards at the company’s Petro-Canada gas stations for close to six days. Terry and I will discuss what lessons infosec pros could learn. We’ll examine the costs of a ransomware attack of Canadian retailer Indigo Books, which this week issued its annual financial statement including numbers on the attack. We’ll look into Microsoft’s report that the Russian-based group called Nobelium or Cozy Bear is increasing credential stealing by hiding behind residential proxy services. And we’ll talk about the effectiveness of security information and event management platforms after a report was issued saying major SIEMs are only detecting a quarter of attack techniques.

Also in the news, SolarWinds says it’s been told by the U.S. Securities and Exchange Commission the regulator intends to recommend civil action against the company. It relates to the compromise in 2022 of the update process of SolarWinds’ Orion network management software. The SEC would allege SolarWinds broke federal securities laws in its public statements. SolarWinds says if charges are laid it will vigorously defend itself.

The 8Base ransomware gang has been active this month. According to researchers at VMware it listed 30 victims on its data leak site in June, compared to low single digits in March, April and May. Researchers say this gang targets smaller businesses. One on their list is a Canadian transportation and logistics management company. According to one news site, another is a Denmark shipping company.

The CyberWire news service reports a new group of pro-Russian hacktivists has been formed. Calling themselves the UserSec Collective, they claim to have groups from Russia, India, Egypt and other countries that support Russia.

The Andariel malware used by North Korea’s Lazarus group has more off-the-shelf tools. That’s according to researchers at Kaspersky. For those who don’t know, this malware infects computers by executing a Log4J exploit. I hope by now all of your applications have been protected against Log4j vulnerabilities.

Attention administrators of WordPress sites that use the miniOrange WordPress Social Login and Register plugin: There’s a vulnerability that needs to be patched, say researchers at WordFence. If it isn’t, an attacker could access any account on a WordPress site if they know the associated email address. Make sure you’re running version 7.6.5 of the plugin

A threat actor has created a new piece of malware for attacking Apple computers running the macOS operating system. Researchers at Elastic Security found it being run against a Japanese cryptocurrency exchange. Briefly, after breaking into a computer with the malware to try and bypass the operating system’s Transparency, Consent, and Control (TCC) permissions, which provide access control replace it with a TCC database of their own. Administrators have to make sure access to any macOS TCC database is locked down. According to BitDefender, there are Windows and Linux versions of this malware as well.

Finally, Google has updated the Chrome browser version 114 to close several vulnerabilities.

(The following transcripted has been edited for clarity and is one of the four news stories discussed. To hear the full conversation play the podcast)

Howard: I want to start with the cyber attack on Suncor, a billion-dollar energy producer with a network of 1,500 gas stations across Canada. We don’t know what kind of attack it was, but starting a week ago today drivers couldn’t use credit or debit cards to pay for gas. They had to pay cash. On Wednesday — six days later — the ability to use payment cards was restored. It seems this attack only hit the point-of-sales network and not the operational or production side of Suncor. Still, this will be a major disruption to the company. There aren’t any details so we can’t talk about how this attack might have been prevented, but we can talk about the importance of resilience — which is not disaster recovery. Resilience is the ability to keep doing business.

Terry Cutler: We could be dealing with a couple of scenarios: Suncor laid off about 1,500 people earlier, so this could be related to disgruntled employees who want to teach their former boss a lesson. Or it could be a state-sponsored attack, or a ransomware attack, or human error, like what happened to Rogers. A lot of times point-of-sale devices don’t have enough memory on them to install an agent for protection like EDR (endpoint detection and response) and such. Or they’re too old. Maybe they might still be running Windows 7, so they’re dealing with an unsupported operating system and don’t notice an infection. There’s beaconing off the network. Or they may be relying on SIEM (system information and event management) products that don’t have the proper log configured. There are so many possible scenarios.

Howard: In your experience, how many organizations have business continuity plans?

Terry: Not many. They’re either dealing with nonexistent plans or they’re very incomplete.

Howard: What are the essential elements of resilience?

Terry: It all pertains to how fast you can get back online from a cyber attack. The important thing is risk management. You need to conduct comprehensive cyber security risk assessments to identify potential threats, vulnerabilities and the potential impact of cyber attacks. The important part is the incident response plan. You need to know what happened, what to do first, who to contact, and who’s in charge of what. You can also create tabletop exercises to simulate an attack. You also need to look at things like backup recovery strategies. We hear a lot of folks that, ‘Yeah, we’re doing backups on a very regular basis,’ but they’re not testing their restores and that’s a huge problem. We’ve seen cases where organizations weren’t able to recover their data. They had to bring it to a special firm that recovers data offsite. Obviously, look at your cyber awareness training. Make sure you educate the employees and the stakeholders around best practices for creating strong passwords and how to recognize phishing attacks. Make sure IT is monitoring in real time. There’s cloud protection, and data segmentation so a cyber attack won’t take the whole place down. Also, look at multifactor authentication and patch management.

Howard: One option that some businesses have is sending employees home and letting them work remotely. A retailer [with stores] doesn’t have that option but there there are a lot of businesses that do, as they found out during the pandemic. If you’re prepared, if you have the cyber security resources so staff can connect remotely to the applications they need a business can keep going. That’s resilience

Terry: But when employees are working from home they’re away from the fortified network of the corporation. They’re dealing a Best Buy router. A lot of things can go wrong so you have to make sure staff have the proper protection in place on their endpoints.

Howard: One bright thing for Suncor is it was already doing business by cash So having to refuse to take payment cards may not have affected revenue too much. Although some people these days don’t carry a lot of cash. So they may have gone to other gas stations. And possibly those who paid cash at Petro-Can may not have been able to get receipts because of the cyber attack. That may be important for people who keep business records for spending. On the other hand, many gas buyers don’t need a receipt because gasoline is not a product that you can return. There’s a possibility Petro-Can won’t lose a lot of business.

Terry: I rarely carry cash. It would really inconvenience me to drive to a bank in the area, pull out cash and then go back to the gas station and fill up. It shows you reliant we are on technology that when IT systems go down it causes a lot of inconvenience for sure.