Cyber News Roundup: CIA Info Leaked, Ransomware Gangs, Business Email Compromises

Editor’s Note: This is your cyber news roundup with the latest cybersecurity news and tips from the Cyber Oregon team to help you and your organization stay safe online and protect your digital assets. We examine cybersecurity news and developments from across the Northwest and the Nation that are important to all Oregonians including individuals, businesses, non-profit organizations, government entities, and educational institutions. Sign up to receive ongoing updates here.

The ultimate irony: the CIA’s top-secret hacking tools were breached. The Washington Post reports that an elite CIA unit in charge of developing top-secret hacking tools failed to secure its own systems. The article covers the breach, which occurred in 2016, and discovered a year later via WikiLeaks.

Reporters Ellen Nakashima and Shane Harris write, “U.S. officials have said it was the biggest unauthorized disclosure of classified information in the CIA’s history, causing the agency to shut down some intelligence operations and alerting foreign adversaries to the spy agency’s techniques.” The CIA’s WikiLeaks Task Force says that security procedures were “woefully lax” within the special unit that designed and built the tools.

The office of Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, provided the task report, pressing for stronger cybersecurity in the intelligence community.

Ransomware gangs

Ransomware gangs? Data “leaking as a service?” Crypto-locking malware? Auctioning off data to the highest bidder? An article in BankInfoSecurity reports on the latest ransomware trends, including continuing to “pummel the healthcare sector and its suppliers” amidst the COVID-19 pandemic:

1. Maze Offers “Data Leaking as a Service.” The Maze ransomware gang was the first to begin not just crypto-locking systems, but also stealing and leaking data, to try and force victims to pay. Just this week, Maze has expanded its leaking syndicate using RagnarLocker’s leak site to host the data.

2. Fresh Shakedown Play: Auctioning Stolen Data. Another innovation that’s come to light in recent days is not leaking data, but instead auctioning it for sale to the highest bidder. the operators behind the ransomware-as-a-service operation REvil began auctioning data that the gang claims was stolen from Canadian agricultural company Agromart Group.

3. Targeted Ransomware Attacks Continue. Ransomware attacks typically fall into one of two buckets. Some attackers practice “smash and grab,” gaining access to a network, infecting a bunch of endpoints, and then moving on. But other attackers are more advanced, and spend their time conducting reconnaissance, gathering credentials, studying potential avenues for hitting business partners and more, according to David Stubley, incident response expert David Stubley, with 7 Elements.

4. Healthcare Keeps Getting Hit. Despite the pandemic, and some ransomware gangs pledging to try and not hit healthcare organizations, security experts say they’ve seen no cessation in attacks targeting the sector. In fact, the healthcare sector may be getting hit more than ever before.  

5. Unfixed Flaws Get Exploited by Others. Many breaches do not begin or end with ransomware. Before infecting systems with crypto-locking malware, attackers may have gained remote access to the network via brute-forced remote desktop protocol credentials or a phishing attack. Then they may have spent weeks or months leapfrogging to other systems, conducting reconnaissance, potentially stealing administrator-level access credentials for Active Directory as well as stealing sensitive data to potentially leak it later if victims do not immediately pay.

6. Gangs May Still Be Camped Out. Sometimes, attackers remain camped out in victims’ networks after hitting it with ransomware. For victims, one challenge can be that attackers can eavesdrop on their post-breach response plans.

Business email compromise threatens organizations

While not as thrilling as ransomware gangs, business email compromise (BEC) attacks pose great financial risks to organizations, according to a TechRepublic article by Lance Whitney. The way BECs work is by impersonating a specific individual within an organization or a trusted external contact. The FBI says that BECs accounted for more than half of all cybercrime-related losses in 2019.

In its Abnormal Quarterly BEC Report Q1 2020, Abnormal Security finds that BEC attacks have changed their focus to spoofing employees working in finance and those who work as external vendors. Whitney writes that cybercriminals have shifted from targeting individuals to groups, and attacks using invoice fraud are soaring, with attackers impersonating vendors, suppliers, or customers. He cites an example of an attacker masquerading as the billing department of a vendor asking for a payment information update. The attacker convinced the target’s accounts payable team to change bank routing information from the valid bank to the bank used by the criminal.

Tips for organizations to better defend against business email compromise, from Ken Liao, vice president of cybersecurity strategy for Abnormal Security:

• To protect against BEC attacks, it’s important to be extra careful with familiar sender names (e.g., executives or fellow employees) that originate from Gmail or other well-known general domains.
• You must also watch for out-of-domain impersonation techniques such as 1) swapping ‘i’ and ‘l’, 2) adding an ‘s’ to the end of a known domain (which will still look legitimate), 3) adding ‘int’ or ‘inc’ to the end of a known domain (which will still look legitimate).
• Don’t let your guard down if you receive an email with an ask that seems low risk and low consequence. Slow and measured engagement by an attacker is a common technique and can often be the early stage of an attack.

Zoom to feature end-to-end encryption

Zoom is building in end-to-end encryption functionality into its videoconferencing software, starting with a beta next month, according to The Verge. This will be available for both free and paid users. According to reporter Nick Statt, “Zoom has been facing harsh criticism since the beginning of the COVID-19 pandemic for failing to beef up its security despite huge surges in user growth as Zoom and similar services became virtual hangout tools during lockdowns.”

The next normal

As employers are moving towards bringing employees back to work during the COVID-pandemic, they are focused on safety and technology. A new report covered by a TechRepublic article outlines what the next normal will look like: a digitization of the workplace and will include accelerating digital transformations and working and collaborating from anywhere.

“The pre-COVID-19 workplace no longer exists,” states Pat Wadors, chief talent officer with ServiceNow, the issuer of the report. ServiceNow’s CIO, Chris Bedi, says the pandemic has exposed organizations’ flaws. He advocates that “the focus needs to be on digitizing workflows… When it comes to protecting revenue, creating digital services to create new revenue streams, pursuing productivity, scaling operations, optimizing financial models, and prioritizing business continuity — all of that can be achieved with digital platforms.” Bottom line, they recommend accelerating, not slowing digital transformations and working and collaborating from anywhere.

Partner blog of interest: McAfee: Time to Move from Reactive to Proactive Endpoint Security