Symantec Security Summary – August 2021

Failing cyber security grades. The U.S. government got a major wake-up call this month after a government report issued by the Senate Homeland Security Committee found that critical federal agencies are still lacking basic cyber security protections. The report, issued on Aug. 3 through a bi-partisan congressional investigation, called out key agencies such as the State, Education, Agriculture, and Health and Human Services departments for not establishing effective cyber security programs and not sufficiently complying with federal information security standards. The result: The public’s sensitive information is now unnecessarily vulnerable to data breaches.

Among the key findings in the report, titled “Federal Cybersecurity: America’s Data Still at Risk,” were that seven agencies failed to comply with the Federal Information Security Modernization Act, signed into law by President Obama in 2014.  The agencies earned an average C- grade for falling short of the federally-mandated standards. Among the many infractions were the State Department, which left thousands of accounts active on its classified and unclassified networks after employees had left, as well as the Education department, where auditors were able to exfiltrate hundreds of files containing sensitive, personally identifiable information.

In total, six agencies failed to install security patches and other controls used to remediate potential vulnerabilities while a handful of other agencies were still dependent on legacy systems and applications no longer supported by vendors via security updates. The Senate report concluded that the government needs to update EINSTEIN, the flagship cyber security program for federal agencies.

“From SolarWinds to recent ransomware attacks against critical infrastructure, it’s clear that cyber attacks are going to keep coming and it is unacceptable that our own federal agencies are not doing everything possible to safeguard America’s data,” said Republican Senator (OH) Rob Portman, one of the chairs of the committee issuing the report, in a prepared statement. Definitely not an impressive report card for the government in an era increasingly defined by cyber security risks.

Ransomware continues to rage with new threats emerging on the horizon. Take BlackMatter, a new ransomware gang charting its course by learning from the mistakes of notorious groups REvil and DarkSide. In an interview with Recorded Future, BlackMatter said it was interested in targeting large companies with more than $100 million, but claimed it would lay off extorting companies in some sectors, including healthcare, government, and critical infrastructure, among others. 

In the interview, the BlackMatter developer denied earlier reports that the new group was behind the Darkside ransomware, which has disappeared since being at the heart of such high-profile attacks as the Colonial Pipeline. Ransomware experts made the link between the two because they are believed to use the same encryption routines. BlackMatter claims to be leveraging parts of the playbook from REvil, Darkside, and LockBit.

Speaking of LockBit, there has been a surge in ransomware activity associated with this group—an indicator, some say, that they are trying to fill the gap left by the Sodinokibi ransomware.  An investigation by Symantec’s Threat Hunter Team found at least one former Sodinokibi affiliate now using LockBit—the attacks begin with a file named mimi.exe, which is an installer that drops a number of password-dumping tools. The Threat Hunter Team also found malware known as Neshta on a number of hosts associated with LockBit attacks. Check out the Symantec Threat Hunter blogs to get more in-depth information on this issue.

Help wanted. Another sign the LockBit ransomware gang is gearing up on the attack front: The group is now trying to recruit corporate insiders to help breach and encrypt networks offering millions to those who carry out successful compromises. Rebranded in June as LockBit 2.0 ransomware-as-a-service, the new group is trying to cut out the middle man and go directly to recruit insiders who already have the proverbial “keys” to the corporate networks. LockBit 2.0 stated they are specifically looking for RDP, VPN, and corporate email credentials they can tap to gain network access.

On a separate front, there is continued fall out from the SolarWinds supply chain attack in January. The Russian hackers responsible have pivoted and gone after the U.S. Department of Justice. According to an official government statement, the Microsoft Office 365 email accounts of employees at 27 U.S. Attorneys’ offices were breached between May 7 and December 27, 2020.

Amidst the flurry of bad news, there were some key advancements in the war on cyber threats. One of the most promising is the new “Joint Cyber Defense Collaborative” (JCDC), stood up by the U.S. Cyber Security and Infrastructure Security Agency (CISA) as a public-private partnership to develop and implement better cyber security plans.  Broadcom Software will be participating in the first meeting of the JCDC on Monday, Aug. 23. The partnership seeks to:

• Design and implement comprehensive, whole-of-nation cyber defense plans to address risks and facilitate coordinated action;
• Share insight to shape joint understanding of challenges and opportunities for cyber defense;
• Implement coordinated defensive cyber operations to prevent and reduce impacts of cyber intrusions; and
• Support joint exercises to improve cyber defense operations.

The Biden administration also took steps to improve cyber security for critical infrastructure control systems—a growing concern after the high-profile Colonial Pipeline attack and also viewed as a lever for a “real shooting war.” The executive order calls for voluntary measures such as encryption and two-factor authentication as part of an impetus for companies to develop cyber security performance goals.

There is also proposed legislation that would position ransomware as terrorism. The Sanction and Stop Ransomware Act, introduced by Senators Marco Rubio (R-FL) and Dianne Feinstein (D-CA), would sanction nations that back cyber attackers. The bill also calls for the development of regulations for cryptocurrency exchanges.

Random news. For those interested in bug bounty programs, here’s one. Twitter has launched its first AI program sponsored by its Machine Learning, Ethics,Transparency, and Accountability (META) team, challenging people to find bias in its image-cropping algorithm and offering up cash for the winners. First place prize: $3,500.