The Mainframe

[00:00:18.440] – Matt Fusaro

How are you?

[00:00:19.040] – Jason Pufahl

Good, thanks. I think we’re going to try to do a regular segment now where we talk a little bit about current threats, relay a little bit of information that we’re getting really from existing clients and your challenges that they are facing that might be relevant to our listeners. Today, maybe starting a little bit with those topics in the news, threats that we’re seeing, or creative cyber-attacks that are new recently—covered a couple of them here when we were planning for this. And I think the one that probably jumped out first was the Red Cross, which seems like an organization you probably shouldn’t attack. But anybody want to start with what happened there?

[00:01:04.160] – Matt Fusaro

Yeah, it is interesting actually, now you bring that up, that they did attack the Red Cross because there seems to be kind of an accord going around a lot of the threat groups where they don’t attack these types of systems. But this definitely was targeted right at the Red Cross. Their main headquarters is in Geneva, and I guess this is where they house a lot of their IT systems. This particular attack affected around 515,000 people that were receiving aid from the Red Cross. So what they’re saying is that this sophisticated attacker came in, which I’ll give them this one. Usually, we don’t like when we hear “sophisticated attacker”; there’s usually not much of an attribution toward them being sophisticated when we see the details. But apparently, there was a lot of custom payloads that were created just for them. I guess a lot of the scripts were specifically targeting MAC addresses, custom software, things like that. So we’ll give them the “sophisticated” one on this one. But apparently, this one had a dwell time of about 70 days or so. I think right now, what are we at 200 or so days that we’re seeing in most organizations for dwell time?

[00:02:16.500] – Jason Pufahl

That’s almost fast, then. Fast discovery in some way; 71 days is still a long time…

[00:02:21.270] – Matt Fusaro

Yeah, it really does solidify that these guys are usually here for a while before you actually find out what’s going on.

[00:02:28.620] – Steve Maresca

And unfortunate for them, they tripped over it when they were deploying an EDR system. So it could have been a longer dwell time, more in line with the average, but in this particular case, at least, they found it and were able to take steps to get rid of the actual attack and the malicious actors. I think that the main takeaway is that it was at least associated with, if not caused by, a vulnerability. And a lot of the time, especially today, we talk about ransomware being initiated by phishing, and that does not seem to be the case here. Interestingly, their disclosure buried quite deeply the platform that was affected, but this was ManageEngine ADSelfService, so it’s basically a tool used for people to manage their own passwords and that sort of thing.

[00:03:14.880] – Matt Fusaro

A tool of convenience, again, used against you. This is something we’ve seen in the wild, too. One of our incidents actually involved a similar system from ManageEngine. I think the takeaway here is especially for things that are involving your identities, make sure they’re patched. You got to stay on top of them. I think they do admit a little bit, even in the ICRC, which is the Red Cross’s organization; ICRC does say that we were trying to get to patching, we just didn’t get to it in time, and then this is the result here.

[00:03:47.760] – Jason Pufahl

So I imagine that’s then where you’re splitting hairs around it being a sophisticated attacker, but at the same time, they used an existing vulnerability,  which we see all of the time. So I think your attribution for the sophisticated piece is that they created some custom scripts or some custom content to exploit this?

[00:04:06.380] – Matt Fusaro

Yeah, almost more targeted than sophisticated. There were some tools used that apparently are not available. If you go to GitHub or other places, you would normally find hacking tools or any type of malicious tools that you could find from Metasploit or those packages that are out there. These are definitely tools that they developed themselves.

[00:04:28.670] – Jason Pufahl

It certainly does demonstrate that nobody’s immune to this. You can’t look at it and say, well, my company doesn’t have data that’s important, or my company operates in a space where there’s this tacit agreement that they’re not going to get targeted. Everybody is a target.

[00:04:42.980] – Steve Maresca

Social services organizations like the Red Cross are compelling targets for these organizations because they tend to involve identification of people, lots of PII, medical records, and things of that variety.

[00:04:57.360] – Jason Pufahl

Yeah, the data is valuable.

[00:04:58.960] – Steve Maresca

And with a multinational scope, too. So you hit that type of an org, you get a lot of people across the world all in one fell swoop. It’s attractive if you’re an attacker, not so pleasant if you’re the organization.

[00:05:12.770] – Jason Pufahl

So moving on, maybe. It’s late February, tax season is upon us, and I think we’re seeing some activity now with Intuit, right?

[00:05:25.800] – Steve Maresca

Yes, absolutely. There’s an attack that’s ongoing over the last several weeks, I’d say, where Intuit users are being phished, totally unrelated to Intuit itself. Intuit, the company, and its platform is totally unrelated. But the message is that your account is going to be suspended due to inactivity, making people feel nervous as they’re getting ready to enter their taxes. So it’s timely. People are thinking about it; they’re susceptible to it. And we wouldn’t be entirely surprised to hear this is occurring with other agencies’ tax prep organizations. Basically, in this case, it’s a phished email: a link invites the recipient to go to some website unaffiliated with Intuit, submits the username and password, and all of that. Now, what’s the threat? Ultimately, if a threat actor has your username to a platform like that, you may be able to access prior tax returns; down the line, submit fraudulent returns; get your return deposited in some banking mule account, something like that. That’s the arc of an attack like this.

[00:06:34.350] – Matt Fusaro

Yes, especially the false filings. Those are pretty impactful to people because it does take a while to actually get corrected, and usually, you’ll have to get some legal team on your side as well to fix all of that. So it’s definitely something to watch out for. Intuit is the unfortunate target of this almost every year now. At this point, there’s always something new every year.

[00:06:56.770] – Steve Maresca

It’s just a market share thing; certainly, it makes sense. There’s not much else to it ultimately; it’s the same message as usual. Watch your recipients, make sure they’re legitimate, and watch your senders, make sure they’re legitimate, and be wary of the links you click. In this case, it seems like there may have been some sort of a payload malware that was delivered in addition to submitting credentials. It makes sense. Tax preparation, if you’re doing it by your computer, you probably have some files, local. I’m not too surprised there.

[00:07:28.710] – Jason Pufahl

I think one of the takeaways, though, is we certainly don’t want people to hear this and limit their concern maybe to Intuit or [crosstalk]  or any of the companies that are like that. We’ve absolutely seen larger companies who run their own payroll and HR systems be targeted for almost exactly the same style of attack. So I think that the message really is it’s tax season. People probably get anxious a little bit around tax season, regardless. The opportunity to phish people is really high. So pay attention to your internal systems. If you’re an individual user, of course, pay attention to some of those other sites that you might use for individual preparation.

[00:08:04.620] – Steve Maresca

It’s the perfect storm for phishing: urgency, some anxiety around it. The call to action is present in all of that, whether you’re dealing with the federal government or tax preparers alike. Stay alert.

[00:08:16.930] – Jason Pufahl

Taxes happen every year, and the gift of phishing taxes happens every year for sure. So moving on, and honestly, of the three, this is the one that I think makes my skin crawl more than anything else, probably—the idea of exposed credentials being used to impersonate somebody else through some of the common chat platforms. So I think Team specific.

[00:08:43.610] – Steve Maresca

This is a recent event that disclosed that Teams is being used to actually distribute malware. Now, the attack setup is pretty simple when you get down to it, but it is multistage. It starts with an initial user in an organization that uses collaborative tools like Teams, being acquired through phishing. That user is then impersonated, the attacker logs in, and then subsequently does some organizational reconnaissance to figure out reasonable next targets. Now, the real interesting part of this particular attack that’s been disclosed is the fact that messages are created to send to some other person in the org, with an attached piece of malware or an attachment that is malicious in some other way – a link, you name it. Bottom line, though, is that the communication seems to come from a valid source, the impersonated individual. Therefore the recipient is more inclined to trust it because it comes through Microsoft Teams. It comes through an email alert that you missed a message. It’s abusing those trusted relationships to get somebody to click.

[00:09:49.050] – Jason Pufahl

So the flow, I’m curious, is it really just send a file and hope somebody downloads it? Or is there a preamble, a conversation starter of some sort, or do you have any sort of inclination of what that normally is looking like?

[00:10:03.070] – Matt Fusaro

I think it’s going to depend right on the attacker and who they’re attacking. There’s a lot of opportunities there. If your Teams platform allows you to attach files and send links and things like that, then all that’s available to you. And really the sky is the limit as far as what you want to do. But again, I think Steve’s point; you trust that person because you work with them. You have no reason to believe it’s not that person sending you that message. So if you get a spreadsheet that says whatever it is, I don’t know, orders for this week, you’re going to open it trusting that it’s a good document. And that’s where it’s easy to just install macros or have that be a separate type of payload.

[00:10:46.950] – Jason Pufahl

It made it so difficult, and I have no idea. We tell everybody, look at links and emails and try to understand a little bit the language being used. But the reality is that’s a short form communication, and you’re usually getting maybe a sentence – it’s hard to discern tone, it’s hard to discern intent.

[00:11:04.440] – Matt Fusaro

Yeah, you have to rely on your identity systems at this point for this. And it’s a shame that, quite honestly, Microsoft makes this somewhat unattainable for some companies. You need a pretty high level of Microsoft 365 licensing to get things like your Identity Defender. This is something that a risky sign-on would probably catch where they’d be asked for multi-factor or something like that. If they are coming from a different country, if they’re coming from somewhere that they don’t typically come from, that usually is marked. If you don’t have that, then you’re kind of susceptible to this.

[00:11:40.700] – Steve Maresca

And unfortunately, most orgs don’t actually deploy those things. And at the end of the day, even if the recipient doesn’t work with the impersonated individual, they’re probably going to try to be helpful and say, “Hey, you know, I don’t really know what this is, but maybe you want to go check with so and so,” which maybe means the attack is thwarted for the first recipient, but then they’re being redirected to a better one. So it’s an abuse of trust as usual. Now, we have other examples of this. We’ve heard of other collaboration platforms starting with G that you’d recognize being used in the same way.

[00:12:15.070] – Jason Pufahl

It’s not Teams specific.

[00:12:16.560] – Steve Maresca

It’s distributing messages without the “hey, it’s from an external sender” flag in an email or using internal pathways that are trusted—same deal.

[00:12:27.150] – Jason Pufahl

So this hits our current topic piece. How current is this? We haven’t managed an incident, I don’t think, that has had a collaborative tool issue as its genesis, right?

[00:12:41.820] – Steve Maresca

In this particular case, the Teams news that was disclosed is as recent as February 17th.

[00:12:47.880] – Jason Pufahl

So, incredibly recent.

[00:12:49.450] – Steve Maresca

Obviously, I was referring to Google: Google Groups; Google domain attack is also this month. And not just one organization, this is across several, and it’s a fairly publicized attack, but same vector.

[00:13:04.410] – Jason Pufahl

Certainly something to keep an eye on then, and to see if they start getting used more and more prevalently. And the reality is I think we’re better at detecting your traditional email-based phishing. This is just another way of hopefully getting in front of somebody and executing something under the basis of trust.

[00:13:22.230] – Jason Pufahl

So moving on a little bit, things that we’re encountering as we talk to clients. For me, the thing that jumps out for sure seems to be cyber liability insurance. We did a whole episode basically on the new requirements. I feel like every customer that we have is either renewing policies or maybe looking for new policies and addressing some of the gaps that they have relative to some of the new requirements.

[00:13:51.120] – Steve Maresca

Right. I have four or five applications that I’m facilitating for organizations right now. With different carriers, it doesn’t really matter; the workflow is the same. Similarly, as an outgrowth of that, we’re dealing with implementations to resolve some of the things that cyber liability insurers have earmarked as requirements for getting the policy. MFA being a great example. It’s a direct outgrowth of cyber liability. I don’t have account of how many customers have been doing that.

[00:14:20.450] – Matt Fusaro

Yeah, it’s been quite a few. Between MFA, EDR, some SIM implementations, there’s been quite a bit that people are trying to get out there and be reactive and proactive based on where they are in that cycle. But the insurance requirements are definitely pushing quite a few projects in that direction.

[00:14:38.430] – Jason Pufahl

They’re frankly all reasonable things to implement. If we go back a little bit to the Teams discussion we just had, you’re pushing MFA, and you’re adding that second factor; it’s a protector against something like that. So there’s good reason to do these, and you understand why they’re pushing it. It’s just the time frame for some of the clients that we’re seeing, and the time they need to actually deal with this is pretty short. And so extensions are often being asked for, or you’re potentially even pushing off renewal a little bit.

[00:15:05.580] – Steve Maresca

Right. And sometimes that’s not possible. Things are co-termed. And year-end, fiscal year-end, it’s coming up quick for those orgs that are June based or May based. For some .edu, the clock is ticking very quickly. Others have maybe a few months additional runway, but it’s not a lot.

[00:15:24.450] – Jason Pufahl

So outside of cyber liability insurance, anything jump out to either of you?

[00:15:30.270] – Steve Maresca

Many requests from a policy and procedure standpoint and a lot of them come from the “we need policies because we don’t have them” standpoint. Realistically, the policy development, policy implementation, and policy review. We’re seeing activity in all aspects of that. Some orgs have really well-developed policy lifecycle management, others don’t. But they are all beginning to recognize that the policies that they’ve left in draft form for five years really do need to be finished, or the policies that they didn’t think about that outside entities are beginning to demand, the attention is understood, and efforts being invested toward actually resolving those issues.

[00:16:12.530] – Matt Fusaro

I think some of that is coming from the fact that quite a few companies have come to us and said, hey, we have money to spend right now. Let’s do some projects. Policy tends to be one of those things that they put on the back burners because a lot of people don’t want to do it. But now they’ve got some money to go and get some help to do it. I think a lot of it is coming out of the pandemic. I think companies are loosening their purse strings a little bit to spend money on things that they haven’t for a while. So that’s why we’re seeing some of that.

[00:16:41.030] – Jason Pufahl

And in fairness, you’re having a documented set of policies, your incident response, acceptable use, maybe an information security plan of some sort. That will help drive your security program anyway. So there’s a real practical value for looking at what do you want as an entity to look like from a security perspective, and then starting to actually then do projects in concert with your policy framework.

[00:17:05.160] – Steve Maresca

Right. And I think that the other concern behind that and the other motivator is simply that there are two years of audits being suspended, and suddenly they’re resuming. So things are ramping back up, and the area of focus has shifted a little bit given the freedom to operate from home, the loosening of employee procedures, onboarding, and so forth. Now the policies are seen as the mechanism for enforcement and the mechanism for getting rigidity back on the table where it’s maybe been surrendered for the last couple of cycles.

[00:17:38.950] – Matt Fusaro

These companies are fundamentally different now and how they work. So it makes sense that the policies would need to change, too.

[00:17:45.230] – Jason Pufahl

I think we talked a little bit about trying to do a policies podcast. I think with the challenge being how do you make policies really interesting for 15 or 20 minutes. But I’m confident even just walking through the common policy set that we’re being asked to create and assist with, I think would be valuable.

[00:18:01.950] – Steve Maresca

Along with the dangers of overly prescriptive policies.

[00:18:05.140] – Jason Pufahl

For sure, or writing ones that you can’t comply with, right? So you write it, and then you find you’re out of compliance immediately. I think maybe security awareness could be one of the other things probably that I feel like all of a sudden we’re doing a bunch more, possibly tied to the cyber liability side a little bit, maybe also somewhat to the regulatory and audit side –

[00:18:27.280] – Matt Fusaro

People are more comfortable getting in groups now to actually have group-based… I know we’re scheduling some right now where there’s some group-based ones that we’re doing which hasn’t happened for a while.

[00:18:39.040] – Jason Pufahl

And the in-person, we generally focus on the in-person part of the training, which I think is great if you can manage it, but the video-based stuff can be good as well. I think those are probably the three things that jumped out to me over the last month or two. Cyber liability, I feel like it’s driving some of the conversations. I think your point about audits kicking back up is well made for sure as well.

[00:19:08.270] – Steve Maresca

I mean, that’s what the background noise of your usual vulnerability assessments and things [inaudible 00:19:12]  But those are constants, these represent somewhat new attention, I’d say.

[00:19:19.260] – Jason Pufahl

Okay, that’s fair. Well, I think that brings us up roughly against our time here. As always, thanks for joining us today. We hope you got some value out of this. But of course, if you want to continue the conversation, feel free to reach out to us at Vancord at LinkedIn or @VancordSecurity on Twitter.

[00:19:37.390] – Voiceover

Stay vigilant, stay resilient. This has been CyberSound.