Forescout Cyber Roundup
January 18, 2019
The Forescout Cyber Roundup is a weekly blog series highlighting some of the previous week’s cyber headlines and explaining why they matter. Each article includes a closer look at the potential implications of the news or event, predictions about what might happen next and suggestions for all readers, from the C-suite to end users. Articles are ordered by date, not necessarily priority.
- Proof-Of-Concept Malware Reveals Smart Building Vulnerabilities Your Business Needs to Deal With (January 15, 2019)
- Ransomware hits K-12 district in Connecticut (January 9, 2019)
- Chinese Envoy to Canada Warns of ‘Repercussions’ if Ottawa Bans Huawei from 5G Mobile Phone Network (January 17, 2019)
- Mother of All Breaches Exposes 773 Million Emails, 21 Million Passwords (January 17, 2019)
- Russian, Ukrainian Defendants among Those Charged with Hacking SEC System in Trading Scheme (January 15, 2019)
Summary: An attack on a building automation system could have devastating consequences—shutting down HVAC controls could cause servers to overheat and bring everything from government offices to hospitals to a standstill. At this year’s S4x19 ICS conference, Forescout’s Sr. Director for Industrial and OT Technology Innovation, Dr. Elisa Costante, presented the results of her team’s research on discovering and defending against vulnerabilities in building automation systems (BAS).
Why it matters: At the end of 2018 we predicted that “malicious actors will leverage Building Automation Systems (BAS) in a major public ransomware attack.” While that prediction hasn’t come to fruition just yet, our recent research suggests that not only is it entirely possible to leverage malware in a BAS attack, but it’s also pretty inexpensive and easy to accomplish. What makes this special is that smart buildings neatly encompass a special domain in which Operational Technology (OT), Information Technology (IT) and the Internet of Things (IoT) converge. And the future foundations of smart buildings are already IP-enabled—in the UK, more than 10 million IP-enabled smart meters have been deployed so far, despite criticism (including that of infosec legend Ross Anderson). Building automation is designed with convenience and improved efficiencies in mind—the focus is typically on reducing excessive energy consumption, saving time and reducing total cost of facility ownership—not cybersecurity. Much like security was not baked into many IoT devices, security has also been an afterthought when it comes to building automation. And, even now that the risks inherent in building automation are starting to be uncovered and realized, there’s debate as to who the owners of the systems should be, and who should be responsible for BAS security. Most often, IT and cyber shops are not the owners of BAS, and just as often, they have no idea that the systems even exist or are connected to the corporate network. Ownership typically falls to Facilities Management—professionals who are very good at physical security, operations and keeping the lights on, but who often lack a strong cyber acumen, simply because—to date—there hasn’t been a real need for them to understand cyber. In the U.S. alone, more than 90% of buildings with square footage in excess of 500,000 have some form of building automation in place. That’s a massive target, and one that is pretty poorly protected. It is absolutely critical that organizations and businesses with any sort of BAS in place make it a priority to see and classify exactly what’s automated in their buildings, define processes and procedures to manage them appropriately, and ensure they have the proper staff in place to keep their systems and networks secure, segmented and operational.
Summary: Another school district was recently hit by a ransomware attack. Details have yet to be released, and it’s unclear if the school district will pay the ransom.
Why it matters: This may have been the first public ransomware attack of 2019, but it’s not the first time we’ve seen a ransomware attack on a school district. The Middleton School District in Connecticut was hit with ransomware last year. Also last year, the Leominster Public School District in Massachusetts paid a $10,000 bitcoin payment to cyber extortionists. An attack on multiple school districts in Texas left numerous school websites inaccessible in 2016. There’s a common theme across most of the attacks—data was rarely stolen. Instead, the attackers just encrypted the data and critical systems, making them inaccessible. When that happens, a system’s integrity is corrupted, which might also lead to destruction of data stores. According to research by IBM, 70 percent of businesses paid the ransom to decrypt their data in 2016. Still, nearly 40 percent of ransomware victims pay attackers to recover their data, and less than half actually get it back. Ransomware remains a very lucrative business for attackers, so it’s critical that businesses and schools alike implement best practices to defend against ransomware attacks. Critical data should be segmented across the network as part of a defense-in-depth strategy that isolates sensitive data and makes it harder for attackers to gain access through a compromised endpoint. Like any good defense strategy, it’s important to have overlapping controls and security practices in place.
Summary: Huawei has already been banned in a number of countries, including Australia, Japan, New Zealand and the U.S., and it’s likely that more countries will continue to ban the Chinese tech giant.
Why it matters: With Germany now on the list of companies considering banning Huawei from supplying its 5G infrastructure, and Oxford now suspending Huawei donations and sponsorships, the Chinese telcom is fighting to maintain a foothold anywhere it can. In the west, Canada is conducting reviews on the deployment of 5G and it’s currently unclear if Huawei will have a shot as the 5G provider. The warning of ‘repercussions’ by Chinese ambassador Lu Shaye is as ominous as it is bold, and suggests that the company is struggling to counter the repeatedly bad press in recent months. From the arrest of the company’s CFO in Canada, to the more recent arrest of a company sales director on spying charges in Poland, the company may be nearing a point of no return, but since it’s not publicly traded and is instead backed by the Chinese government, it’s still too soon to say what exactly the future holds for the company. What is clear, however, is that nation states and international businesses are running out of reasons to trust Huawei—when a company’s CEO says he would refuse a request from the Chinese government to access the company’s user data, it’s clear that the government has already made the request. Under communist rule, a request isn’t something that can simply be denied. What’s also important to realize is that Huawei is but one of many Chinese companies that is government owned. In 2015, 98 of the Fortune Global 500 companies were based in China, putting the country second only to the United States. Previously considered too small to warrant state ownership, three major Chinese software companies, Alibaba, Baidu and Tencent joined China Unicom in 2017, a state-owned group and the country’s second largest wireless telecom operator. While these companies aren’t making headlines in the same way as Huawei, their state backing warrants a cautious eye.
Summary: The newly discovered Collection #1 data dump is being touted as the largest public data breach by volume, exposing 772,904,991 unique emails and 21,222,975 unique passwords.
Why it matters: Many cyber professionals would agree that this ‘breach’ isn’t technically a single breach, nor is it new—it’s a compiled database of many, many previous breaches. It’s yet to be seen if all of the compromised data is real, or if some of it is fake, but we do know that at least some of the compromised passwords are legitimate and there are multiple ‘collections’ of compromised data for sale. This event serves as a reminder of how important it is to use strong passwords, change them often and use multifactor authentication whenever possible. Even if you just updated your password, it’s still a good idea to reset your passwords across all of your accounts—and don’t use the same one twice! And, when in doubt, be sure to leverage Troy Hunt’s free password checking service, Have I Been Pwned? to check if your account has been compromised in a data breach.
Summary: More than two years after the 2016 attack on the SEC, charges are finally being brought against eight individuals behind the attack.
Why it matters: This story is a great example of how attackers are going to get more creative in their attacks moving forward, just as we predicted in 2018. Attacks have evolved over the years—shifting and maturing from data theft, phishing and ransomware attacks to fraud, cryptomining and other methods. Passwords and financial information have long been the targets for malicious actors, but increasingly, we’re going to see attackers attempting to gather company secrets and proprietary information. And, no longer will they simply hold that data for ransom—they’ll also put it up for sale on the black market, leverage it for public extortion or use it for illegal trading, as in the SEC case, or at the nation-state level, leverage it for competitive economic advantage. Breaches can have an impact on the stock market and influence investors, even when the attackers don’t use ‘insider’ information to buy and sell stocks. Breaches impact public perception and often result in increased spending on cybersecurity tools, consultants and mitigation and remediation experts. According to a 2018 study on the impact of data breaches on the stock market, breached companies underperformed the market in the long-term. While we’ve seen increasingly strategic cyberattacks, many have yet to fully realize the direct link between cyberattacks and all aspects of everyday life and decision making.