Why Can’t We Stop This?

In June of 2021 I was talking with a relative about what was going on in the world when he asked me why we can’t stop the recent spate of ransomware attacks (like the one which shut down the Colonial Pipeline that month) which have, among other things, caused him fear about running out of fuel in his car.

What follows is an oversimplification and a summation of old news, but it is basically what I told him about four reasons why we can’t just stop ransomware attacks written for somebody not versed in computer and network security.

  1. People will always be a weak link in a security infrastructure. This is nothing new and will never change. This is why companies (should must) routinely remind employees to use caution and take steps to make themselves more difficult to attack and also test those practices. However, this is just a case of trying to make your employees harder to attack than your peers. If an attacker really wants to breach a company there’s a lot that can be done through social engineering.

    Just this month, September 2022, Uber acknowledged that they had been breached. Evidence provided by the hacker, and in some cases confirmed by Uber, indicates that the hacker gained significant access to many critical elements of Uber’s corporate infrastructure. How did this happen? Apparently the hacker purchased an Uber internal user’s credentials after that individual had been compromised and then according to the hacker:

    (I was spamming employee with push auth for over an hour) i then contacted him on WhatsApp and claimed to be from Uber IT, told him if he wants it to stop he must accept it

    And well, he accepted and I added my device”

    This link will take you to the Tweet that I’ve copied this from, but the whole Twitter thread provides great analysis and is worth reading. Additionally, Ars Technica and many other outlets have stories about the breach. The MFA spamming technique has a name, MFA Fatigue.

    This is nothing new. In Ghost In The Wires. Kevin Mitnick describes some of the social engineering and technical hacking which led to his arrest in 1995. In Catch Me If You Can Frank Abagnale describes his (perhaps not so true) exploits in the 1960s and 1970s.

    In Dark Mirror, Barton Gellman describes some of the measures that he took to protect the materials that he received from Edward Snowden which included taking his laptop with him everywhere he went, even when going out socially.

    Most people won’t (and don’t need to) be this careful because there are more efficient targets. Somebody wanting to get access to a company’s secrets might start with employees who would have the most access, though starting with an easy target who happens to have limited access and then using a series of technical vulnerabilities or more social engineering to expand the hackers’ access also works well.

    Another aspect of this point is that we use our computer infrastructure to facilitate our work and social lives. Of course it’s possible to make data extremely hard to steal by keeping it disconnected from any network and providing extreme physical security of its location, but it wouldn’t be very useful on a daily basis. Companies must always find the balance between secure and available for its intended purpose. And if a company makes it too hard for employees to do their jobs then often employees find ways around the security policies weakening them further, say by moving valuable corporate intellectual property to their personal Dropbox account with the password ‘password’.

  2. There will always be software vulnerabilities. Sometimes these vulnerabilities are in libraries included in many other software packages without the knowledge of end users that lay undiscovered for years as happened with the Heartbleed Bug. Even once this bug was discovered, publicized, and patched it was necessary for companies to update all vulnerable systems, which in the case of Heartbleed was most of them, and that takes time even if the company has a good process for doing so.

  3. Most of the groups carrying out these attacks are located outside of the realm of cooperative countries’ law enforcement agencies. DarkSide, the group thought to be responsible for the Colonial Pipeline attack is thought to be based in Eastern Europe, probably Russia. REvil, the group believed to be behind the attack on JBS, is also probably based in Russia. The SolarWinds hack, which resulted in a number of breaches among 18,000 customers who downloaded the malware infected software update - including the Cybersecurity and Infrastructure Security Agency - was carried out by another Russian group, SVR. Though all of those examples are located in Russia, there are also examples of groups which operate from China.

    Making it even more complicated to reach these groups to disrupt their activities, many of them are believed to be operating with the unspoken approval of their governments - some, such as the group which is believed to have carried out the SolarWinds hack, are thought to be directed by their country’s military.

    Obviously this makes it much harder to round up the suspected perpetrators than if they lived in the US.

  4. Attacks such as these may be placed with an ability to activate at a later time. This can lead to any number of problems, but one of them is that even if the group is caught or shuts itself down, companies may be hit with attacks and be ready to pay the ransom, but the websites to use to do so might have disappeared with the attackers. According to Forbes Magazine in an article from 7/13/21 this happened with REvil.

So what do we do about it? As an individual, be vigilent and educate yourself. SANS has a nice set of articles about creating a secure work-from-home environment. You can find many others. I also like these guides from The Wirecutter on securing your Mac and PC. If you work in IT, audit your entire ecosystem regularly, train your employees, follow best practices, add more layers of security in depth, and try to stay one step ahead and make sure that you are patching whatever you can as soon as you can.

Of course, my colleagues and I at TachTech would be happy to help you.

Craig Sirkin