Changing Computer Karma: But Old Demons Still Reign
A
Review of After Action Reports
Computer Karma's
gonna get you
It's
gonna wipe out your drive
Better learn to backup all your files
Before all you can do is sit and cry
— With Apologies to Mr.
John Lennon
Computer Security vendor, Mandiant, Now Part of Google Cloud, on April 18, 2023, released its 14th Annual M-Trends 2023 Report. The report is a review of major cyberattacks that had occurred in 2022, and an assessment of how what is known about those attacks might help defend against future attacks. The report itself is 108 pages long; in pdf format; and requires a private domain email address to obtain. A more digestible Executive Summary is available on the web here.
What Mandiant's research shows is that in over half of the attacks investigated, three well known attack vectors were employed. Mandiant found these attacks were in general geographically segmented. Exploits were the most common vector in the US. Email attacks were the weapon of choice the cybercrooks aimed at the European Union. In the Asia Pacific region, "prior compromise," was the most frequently used method of attack, according to Mandiant.
In recent attacks that targeted entities in
California 2022 and early 2023, we can see that each of these attack vectors were aimed
at California entities. One of the most persistent was the attack
on the Los Angeles Unified School District. The ground work for
the
attack on LAUSD in September 2022 was laid a few
weeks earlier. As reported by
The Hacker News, October 24, 2022, LAUSD was hacked
by a known cybercrime group Vice Society.
Vice Society is included in the CISA Catalog of Cybercrooks,
and is known for attacking schools.
Four days post-breach, reports came that criminals had offered credentials for accounts inside the school district's network for sale on the dark web months before the attack. The stolen credentials included email addresses with the suffix @lausd.net as the usernames and breached passwords.
Initially, LAUSD denied stolen credentials were the root cause of the attack. LAUSD employees were, however, victimized months prior in a relentless text and email phishing attack that had prompted, LAUSD CIO to tweet, "A lot of people trying to PHISH, please do not get HOOKED in." The tweet links to the LAUSD page about to avoid being phished.
A prior compromise had opened the door for the
successful attack. Furthermore, it has been reported that LAUSD
had been
warned that "its
network had been thoroughly compromised by cybercriminals in February
2021." If that is, in fact, true, then it is
also possible that all three of attack vectors of choice were aimed and
fired at LAUSD.
Ultimately, the crook's goal was a ransomware attack that LAUSD refused to pay for several weeks. After thousands of highly sensitive student personal records were released on the Dark Web, LAUSD has been reported to have paid a $400,000 ransom to end the breach. I have yet to find any official confirmation or denial of that payment.
A second well publicized Californian hack was that which befell the San Bernardino County Sheriff more recently. The news of a ransomware attack on the Sheriff's computer network was first reported on April 23, 2023, by local TV station KABC. Although at first very little reporting about the nature of the attack had been made, in a subsequent report by KABC, the statement was made that "Officials believe the hackers likely were able to access the system after someone on a county computer clicked on a malicious link." Oy!
After several weeks of resorting to old school police tasks and tactics, like "officers having to use radios to run license plate checks or get further information on suspects," a ransom of 1.1 million dollars was paid, almost evenly split between the County Sheriff and the insurer, reported KABC, May 5, 2023.
Possibly the most widely publicized data breach in 2022 was the Twitter breach that began in November 2022, and first reported by BleepingComputer, November 27, 2022.
Over 5.4 million Twitter user records containing non-public information stolen using an API vulnerability fixed in January have been shared for free on a hacker forum.
Preceding the attack, Twitter had been warned of security issues with its software. In August 2022, the former head of security for Twitter, Peiter “Mudge” Zatko, went public with his accusations that Twitter management had paid very little attention to their application's security. In an SEC filing, the former exec claimed there were “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy.” Zatko claimed that "the platform averaged one serious breach a week."
Subsequent reporting on the security concerns about the Twitter app were confirmed when, Gizmodo reported, November 28, 2022, declared that:
The data had been originally jacked from Twitter using a flaw in the platform’s application programming interface (API) but is now being shared openly online.
A known vulnerability, one of Mandiant's unholy trinity noted above, in Twitter's application interface was exploited by cybercrooks. As a result, it is believed that 5.4 million records of Twitter users were exposed and made available on the Dark Web for free.
What do a breach of a school district; or a county wide law enforcing agency; and Twitter, the 44 billion dollar plaything of Elon Musk, all have in common? Although each entity was the victim of similar crimes happening around the globe, according to Mandiant, Now Part of Google Cloud, the effects of these attacks certainly did have the potential of negative impacts on innocent citizens who were not a part of the organization that was breached. The San Bernardino Mountains and Big Bear are popular year round playgrounds for SoCal locals and tourists from all over the wotld. Moreover, the Big Bear Lake city website says: "The City contracts with the San Bernardino County Sheriff’s Department for criminal law and traffic enforcement. The Sheriff also provides all required administration, dispatch, and clerical service." Whose call for help went unanswered while the computers were down? It's rhetorical — maybe, maybe not — but on the mark, nonetheless.
Cybercrimes do not happen in any one specific location. The Vice Society that attacked LAUSD, is "believed to be a Russian-based intrusion, exfiltration, and extortion group." Yet, how many Los Angeles parents and grandparents of LAUSD students laid awake at night wondering if their child's birthdate and social security number is for sale "dirt cheap," as the song goes?
What is also shared in common with these three cyberattacks is that if all involved at the breached entities had been paying attention to all the clues around them; never forgetting the importance of Best Practices; and simply apply common sense, then it is very likely these attacks could have been avoided.
Yes, these are businesses. What about plain consumers who use their computers? What are their risks? The answer comes in one simple "F" word: FRAUD. And the data is somewhat surprising.
¯\_(ツ)_/¯
Gerald Reiff