Simply Cyber (vol. 33): Christmas List 2020: Naughty or Nice?

As a year-end wrap (aaauugh! that reminds me of all those grandchildren gifts waiting for attention and postage), I thought a noncontroversial list of notable acts naughty and nice would be useful. But with the publication deadline close upon me, I decided to further limit that scope’s list to cybersecurity acts. After all, I want to save time to peruse the always entertaining annual Holiday Gift Guide and do a bit of shopping.

Here are deceptively easy questions: Who sees you when you’re sleeping? Who sees when you’re awake? Apparently, it’s not just Santa Claus. Less benign groups than Santa and his elves are watching us and looking to enter our houses/lives via devices rather than down chimneys.

2020 Cybersecurity Naughty List Candidates

This year has been rich with candidates for the “naughty acts” list. Here is a non-exhaustive list of evil deeds:

The U.S. Marshals Service reported exposure of personal information about 387K current and former prisoners (name, address, DOB, SSN).
Hackers hit teen app Wishbone, then extracted and posted 40M user records.
The online kids’ game Animal Jam was hacked in October 2020 and 7,104,998 accounts were compromised (dates of birth, email addresses, genders, IP addresses, names, passwords, physical addresses, usernames). Of concern is identity theft because (1) children have “naïve” credit histories, making it easier for criminals to use their social security numbers for fraudulent activities; (2) children are not typically trained to check their credit reports because they and their parents “know” there is no history to report; and (3) opportunities for “synthetic identify theft,”[i] in which thieves create new identities using a combination of real and fictitious information.
In a Colorado-specific case, Visser Precision (manufacturer for DoD, SpaceX, Tesla, etc.), was hit by ransomware and received a request for $2.6M. Visser declined to pay, which is the advised response when companies have performed consistent file backup, but protected information (DoD and private intellectual property) was extruded and posted to a public website.
Multiple states reported exposed personally identifiable information (PII) on unemployment websites (e.g., AR, CO, FL, IL, KY, OH).
Bank of America revealed a data breach in its PPP application process.
Also related to Covid-19 is the launching of numerous spoofed sites. (NOTE: This kind of watering hole attack uses a current event or concern—for example, desire for information about the pandemic—to lure visitors to a malicious website and/or to clicking on a nasty link, leading to digital infection.)
GoDaddy reported SSH usernames and passwords had been compromised through an altered SSH file in its hosting environment, affecting ~28,000 customers. (NOTE: GoDaddy is the current domain name server for the malicious software site that the SolarWinds hackers pointed to.)

And the Winner for Naughty #1: Cozy Bear (APT 29)

Surprised? Outing a bear as a top offender—especially one with such an appealing moniker as this? Oh wait, we’ve seen this topos before. Remember Lotso, aka Lots-o’-Huggin Bear from Toy Story 3? He ruled tyrannically over his neglected toy minion.

In the cybersecurity case, Cozy Bear is the nickname for one of the advanced persistent threat (APT) groups supported by an adversarial nation-state. The APT groups from this country receive grudging respect for being “patient, well-resourced, and focused.”[ii] The hacking experts from this country are also credited with being speedy. A 2019 MIT study[iii] ranked four nation-states and (consolidated) organized crime groups according to average breakout time:

Russia: 18 minutes and 49 seconds
North Korea: 2 hours and 20 minutes
China: 4 hours
Iran: 5 hours and 9 minutes
Organized criminal groups: 9 hours and 42 minutes

It is thus no wonder that the US Government is concerned about the cybersecurity resilience of its defense industrial base—and all the other 15 critical infrastructure sectors it has identified.

Cozy Bear’s Recently Announced 2020 Activities

On 13 December 2020, the successful, clandestine occupation (since at least March 2020) of IT systems belonging to the Departments of Commerce, Defense, Homeland Security, and Treasury was announced. This announcement followed on the heels of the disturbing breach of well-known security technology company, FireEye. The attack was multi-phased, the first of which was the breach of network-monitoring software provider SolarWinds. The latter’s Orion software was laced with malicious software that then went out to clients as an update.[iv] The software has many thousands of customers worldwide in both government and private sector organizations.

The Cybersecurity & Infrastructure Security Agency (CISA) has issued an emergency directive ordering federal agencies to disconnect use of affected devices. It has also issued guidelines for organizations that describe how to examine their systems to determine whether they’ve been attacked.[v]

Take-Aways

For me, one of the lessons here is that cybersecurity is complicated. No single tool can ensure an organization’s immunity to a successful cyberattack. FireEye wasn’t immune, the US Government is not immune. In fact, the likely fallout over this reminds me of the 2011 compromise of RSA’s SecurID card system for multifactor authentication. The list of naughty acts and naughty actors is long. We should each resolve to take a deep breath (while wearing a mask, depending on your surroundings) over this holiday season and resolve to practice better cybersecurity hygiene in 2021:

Use robust, unique, unpredictable (from a computer processing/dictionary hacking tool perspective) passwords that you do not share or reuse for multiple accounts.
Research whether any of your email accounts have been captured in a large data breach at https://haveibeenpwned.com/.
Check privacy settings on all your applications.[vi]
Disable chatty (e.g., Bluetooth) or tracking (e.g., geo-location) technologies when not in use.
Segment your home network into a guest network (e.g., for streaming entertainment) and a protected network.
Back up the information you cannot tolerate losing to three places (i.e., computing device, removable hard drive, cloud storage) after you’ve encrypted that information that contains personally identifiable information (PII) or intellectual property (IP).
Protect your communications by using virtual private network (VPN) technology on any device with which you connect to the internet (yes, your smartphone also).
Validate the appropriateness of message senders, destination websites, and attachments by checking over out-of-band channels.
Encourage family and friends to be safer as well. The holiday season is a prime time for cybercriminal activity.

Hopes for 2021

I wish you all good health—both physically and digitally. And now, enjoy the Holiday Guide! I’m stepping away from my computer.

References for Holiday Cyber Reading

https://krebsonsecurity.com/2020/12/malicious-domain-in-solarwinds-hack-turned-into-killswitch/

https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/

https://www.zdnet.com/article/microsoft-fireeye-confirm-solarwinds-supply-chain-attack/

https://www.kaspersky.com/enterprise-security/mitre/apt29

[i] https://www.cnbc.com/2018/04/24/child-identity-theft-is-a-growing-and-expensive-problem.html

[ii] https://us-cert.cisa.gov/ncas/alerts/aa20-352a

[iii] https://www.technologyreview.com/2019/02/19/137345/russian-hackers-are-eight-times-faster-than-chinese-and-north-korean-groups/

[iv] https://www.zdnet.com/article/microsoft-fireeye-confirm-solarwinds-supply-chain-attack/

[v] https://us-cert.cisa.gov/ncas/alerts/aa20-352a

[vi] https://staysafeonline.org/stay-safe-online/managing-your-privacy/manage-privacy-settings/