Yanagi Nashi

A series of cyber attacks beginning in early 2018 and continuing through 2019 are believed to have been carried out by threat adversaries with a nexus to the Turkish government. Approximately thirty organizations across Europe and the Middle East were affected by the operations, ranging from government ministries and agencies, private industry, and other groups:

According to two British officials and one U.S. official, the activity bears the hallmarks of a state-backed cyber espionage operation conducted to advance Turkish interests.

The officials said that conclusion was based on three elements: the identities and locations of the victims, which included governments of countries that are geopolitically significant to Turkey; similarities to previous attacks that they say used infrastructure registered from Turkey; and information contained in confidential intelligence assessments that they declined to detail.

The officials said it wasn’t clear which specific individuals or organizations were responsible but that they believed the waves of attacks were linked because they all used the same servers or other infrastructure.

What techniques did these purported nation state threat actors leverage?

The hackers used a technique known as DNS hijacking, according to the Western officials and private cybersecurity experts. This involves tampering with the effective address book of the internet, called the Domain Name System (DNS), which enables computers to match website addresses with the correct server.

By reconfiguring parts of this system, hackers were able to redirect visitors to imposter websites, such as a fake email service, and capture passwords and other text entered there.

Essentially, the initial goal of the threat activity was credential harvesting. If you are unfamiliar with the term, it is the act of tricking unsuspecting users to input their login credentials into a fraudulent web site or application. It usually starts off with a phishing email directing users to visit a web site which appears to be one the victim legitimately uses, asking them to login, and then storing the credentials for use in a later operation.

Once the attackers had amassed enough credential data, knowing average users often use the same password across multiple logins, the adversaries could then attempt to breach personal accounts - such as Twitter, Facebook, Gmail, and more - as well as their official government or business accounts. The latter being the crown jewels, although the personal accounts may also lead to additional opportunistic, targeted attacks.

What I find most alarming is certain DNS top-level domain providers were breached. The actual DNS servers themselves do not appear to have been affected but a number of organizations controlling them were compromised. Those organizations should know better, and have implemented better security controls, and security awareness.

This demonstrates how anyone can be the victim of a cyber attack.

Channel Asia is reporting on a study recently released by McAfee, claiming the average cost of a cyber attack to a Singapore-based business is approximately $1.25m per breach:

According to McAfee findings, the city-state houses the highest estimated costs stemming from a breach across Asia Pacific, ahead of markets such as Australia, Hong Kong, India, Indonesia, Malaysia, New Zealand and Thailand.

Findings from a survey of 480 cyber security decision-makers at a regional level paint a damning picture for Singapore with 80 per cent of respondents claiming that cyber security incidents pose “high” or “medium” impacts on business.

And:

Estimated costs from respondents in Singapore were more than double that of the next highest country in Asia Pacific, identified as Indonesia with financial implications at roughly S$785,000 per breach.

I would like to know how McAfee, and the various companies they interviewed, arrived at these numbers. Internal incident response is a bit of an art to accurately quantify. Leveraging external resources to assist with breach remediation is much easier to understand.

The likelihood of all of these Singapore-based companies only using outside assistance is small. There is a stronger chance of a more hybrid approach, where internal responders work in conjunction with external help of some sort.

In either case, I am curious to see how these numbers were derived.

Potsdam, the capital of the German state of Brandenburg, has had to disconnect from the internet due to a cyber attack. Although specifics about how the attack was executed are light, the city claims the attack occurred because of a vulnerable third-party provider:

"The background to this is a weak point in the system of an external provider, which attempts to retrieve data from the state capital from outside without authorization or to install malware," an official statement says.

"In order to analyze the damage and to ensure the security of the data, external IT security companies and IT forensic experts are commissioned to support the IT specialists in the administration with their work."

This is far too sparse on details, and almost sounds word-smithed enough to purposely obfuscate any potential blame. A German journalist believes the attackers may have exploited vulnerable public facing Citrix servers:

While the City of Potsdam's updates on the cyberattack do not go into detail on what was the method the attackers used to infiltrate the network, German journalist Hanno Böck found Citrix ADC servers on the administration's network vulnerable to attacks exploiting the CVE-2019-1978 vulnerability.

Böck says that the servers he found weren't protected using mitigation measures provided by Citrix over a month ago.

It true, this is not at all related to a "weak point in the system of an external provider" but instead a failure of the city IT department to mitigate CVE-2019-1978. Failure to act in cyber space will almost always lead to a compromise.

VirusTotal is a valuable resource for checking the verdict on file samples and URL's. Although the service offers a variety of benefits, it should never be the sole trusted resource for conducting analysis, especially in the context of a live incident response operation:

For example, a Defender gets forwarded a phishing email with a link to investigate. The Defender creates the tracking ticket and starts the workflow in their “analysis checklist”. They just want to get through this investigation and close out the ticket. The Defender may not even think about looking at the other things surrounding the email as in whats the content, where did it come from, what are the email headers, and other indicators. The decision to continue or close the investigation has now become all about the outcome of the scan of over 70 AV scanners on VirusTotal. The results (most likely) return that all 70 plus AV scanners claim the link is clean (not one flag). Defender quickly marks all is clear and closes the ticket. In many cases, this might be a quick solution and is not a bad starting point but can provide many false negatives.

Any cyber security analyst worth their salt knows to cross-reference across multiple tools. VirusTotal is merely one of many useful tools for determining authenticity of files and URL's, but is not a one-stop shop to be unequivocally trusted. Any incident response playbook leveraging free applications like VT should contain multiple tools, whether on-site or cloud-based, for analysis.

The same can be said for Hybrid-Analysis. It is a wonderful tool, most often extremely capable of determining whether or not a sample is malicious. It is not infallible, and therefore because it is a free service should be used in conjunction with other free services. Based on an aggregate score across multiple tools, and the context around the threat, defenders and analysts can take appropriate actions.

A recent ransomware attack against a Canadian construction company is raising questions about the level of cyber security controls required, or apparent lack thereof, for industry to win federal contracts.

While it doesn't appear that any secure government files were compromised in the hack, the Bird case raises concerns about how secure government contracts are as the number of ransomware incidents multiplies.

Between 2006 and 2015, Bird scored 48 contracts with the Department of National Defence totalling more than $406 million. Bird also helped build the RCMP's Surrey detachment headquarters and has done work for Public Services and Procurement Canada.

Christyn Cianfarani, president of the Canadian Association of Defence and Security Industries, said Canada could learn from the United States and Britain, countries that have taken steps to ensure the security systems of all government contractors are locked down — even those not dealing with classified information.

Luckily no sensitive files were compromised in the attack. However, one has to wonder how a government contractor has allowed this to occur. Are there no minimum security requirements for Canadian government contractors? Maybe the bar is set so low that a simple ransomware attack is capable of being executed?

While no company can 100% ensure they are safe from attack, there is no reason why a standard ransomware attack should be successful. There are a myriad of endpoint security controls - from next-generation antivirus to endpoint detection & response - capable of either preventing or providing visibility on attacks like ransomware.

Buried within the article is this note:

"When we look at the major hacks that have occurred, especially on the defence side, where you know fighter aircraft information was stolen — it wasn't stolen from the prime contractor, it was stolen in a tiny, tiny shop supplying widgets," she said, citing the 2017 theft of sensitive information about Australia's defence programs through a government contractor.

Whether they're done by nation states or by criminal organizations or by rogue actors, it's a characteristic of these kinds of attacks to get to governments using businesses as the point of entry, especially ... small businesses that tend to be the most vulnerable."

Threat adversaries are not stupid; they do the reconnaissance required to find vulnerable targets. Those tiny shops supplying widgets are, more often than not, the weakest links in the supply chain.

Adam Rowe of tech.co writes one of the worst clickbait heading I have seen recently, stating cyber incidents are deemed a bigger global business risk than climate change. Fortunately the article states a much different claim:

Cybersecurity risks are the highest priority for businesses around the globe in 2020, according to an extensive new survey. By comparison, climate change clocked in at seventh as the biggest perceived business risk worldwide.

Granted, that's still climate change's highest ever ranking, and a sign that it's moving up in importance as the effects of humanity's impact on Earth's climate become increasingly extreme.

The Allianz Risk Barometer 2020 conducted research through a survey of over 2,700 experts across 100 countries. These experts were stipulating impact to specific businesses as opposed to the overall global risk as the clickbait headline suggests.

Overall it is not a bad article, but headline hyperbole is strong with this one.