At a glance.
- "Nutrition labels" for security (in a metaphorical sense).
- Are Russian privateers testing US limits?
- The US Treasury deploys sanctions against the ransomware underworld's supporting financial infrastructure.
NIST’s progress on IoT, software security labeling.
Dark Reading has an update on the security labeling component of US President Biden’s May cybersecurity Executive Order (EO). As we’ve seen, the EO directed the National Institute of Standards and Technology (NIST) to launch labeling “pilot programs” to inform consumers and incentivize producers, with a deadline of February 2022 for determining what information to include on the tags. NIST issued a white paper on the subject in May, hosted a "Workshop on Cybersecurity Labeling Programs for Consumers: Internet of Things (IoT) Devices and Software” last week, and will publish a provisional plan for comment next month.
The voluntary program is expected to help individuals and small businesses with limited technical expertise and purchasing power make security-literate buying choices. The Federal Trade Commission will address deceptive labels.
Russian privateers may be testing US limits.
Two weeks after the FBI warned the agriculture sector to be on the lookout for ransomware attacks, a grain collective based in the US state of Iowa has come under attack by the Russia-linked cyber gang and suspected DarkSide successor BlackMatter, the Wall Street Journal reports. BlackMatter has demanded $5.9 million by Saturday to decrypt financial, HR, R&D, and other proprietary data, according to Bloomberg. New Cooperative, which Reuters says purchases and stores grain, distributes fuel and chemicals, and operates harvesting software solutions from fifty-plus sites across the state, has “proactively” disconnected additional systems, reverted to pen and paper where necessary, and contacted law enforcement and cybersecurity professionals.
The attack comes three months after President Biden advised Russian President Putin at the Geneva summit that critical infrastructure sectors were off limits to cyberattacks, or else. The "’food and agriculture’ industry,” Reuters notes, “is publicly defined as a critical infrastructure sector by the Department of Homeland Security.” Recorded Future analyst Allan Liska commented, “This is a very clear attack on an organization that is part of our critical infrastructure. This could result in disruptions to food delivery in parts of the country."
When New Cooperative raised that fact and the prospect of US Government retaliation in communications with the gang, BlackMatter offered to double the ransom, cautioning, “Do not threaten us, otherwise you will stay without a decryption.” The gang denied the collective’s ‘critical’ status, CyberScoop reports, explaining that “the critical ones mean the vital needs of a person,” and New Cooperative does not “fall under the rules.” The gang avoids “much more serious” targets like oil firms, while New Cooperative “only works in one state,” and the “volumes of their production do not correspond to the volume to call them critical,” they said. Liska remarked, “It is nice that an uneducated backwoods Russian can decide what does and doesn’t count as critical infrastructure.”
The chicken, grain, and pork supply chains could endure a “very public disruption” since “11 million animal feed schedules rely on” New Cooperative, the organization’s negotiator counseled BlackMatter, and the attack’s fallout might rival that of the Colonial Pipeline incident, which may have driven DarkSide underground. We’ll stay tuned for the Biden Administration’s response.
We received considerable comment from industry on the ransomware attack. Danny Lopez, CEO of Glasswall, would disagree with BlackMatter that an agricultural organization isn't all that important:
"Reports of ransomware hitting agricultural companies is especially troubling, given the importance of the work being done by these types of organisations. .
"Organisations need to adopt robust processes for onboarding and offboarding employees and affiliates that may receive access to key information systems. It's vital to control privileged access and to monitor those that enjoy that administrator privilege. Ensuring that multi-factor authentication is enforced wherever possible, is a vital defence where user credentials find their way into the public domain. This will help to limit the blast radius, and in most cases, defeat the data breach.
"Even if all procedures and policies are well executed, then there's no escaping the fact that adversaries are constantly looking to probe vulnerabilities and to insert malware into the environment, often using everyday business documents which we all use. It's vital that critical infrastructure organisations invest in cyber protection services that stay ahead of attackers by eliminating the threats while still allowing employees to do their vital work.
"Attacks like these demonstrate that a traditional castle-and-moat approach to network security leaves organisations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers it is crucial to strengthen all processes relating to access verification. Without a zero trust approach organisations run the risk of attackers having a free reign across a network once they are inside.”
If we were to take BlackMatter at its word, ransomware "ethics" might well lead you to become a target because you're too small to matter, in the big picture. Neil Jones, cybersecurity evangelist at Egnyte, draws a simple lesson from this:
"The key lesson we can take from cyberattacks like the one on New Cooperative in Iowa is that no organization or industry is safe from cyberattacks, even when they are considered one of the U.S. government’s “critical sectors.” Senior executives and IT leaders need to be aware that no technological solution is 100% effective, but a large percentage of ransomware attacks can be prevented with diligent preparation. These types of security breaches occur on a regular basis, resulting in companies being targeted because of their significant impact on the nation's food supply and the mission-critical systems they rely on to communicate with farmers, food producers, and business partners during harvest time.
"At the end of the day, all content and communications are vulnerable without proper data governance. It’s imperative that organizations begin with protecting the data itself. If secure file collaboration tools with Multi-Factor Authentication (MFA) are implemented correctly, they can render cybercriminals’ attacks ineffective. Deployed in a case like this one, where adversaries were able to infiltrate the organization's network and impact its mission-critical business activities, the systems would have been inaccessible to outsiders and the organization's valuable data would have remained protected.
"We often find that the methods and tools being employed by organizations like New Cooperative just can't keep pace with today’s evolving security threats. Data protection must be viewed as more than a compliance checklist. Optimal data governance solutions make it easy to share files with anyone, without compromising users' security and control."
Alex Pezold, CEO of TokenEx, expects no mercy, still less refunds, from the hoods:
"BlackMatter ransomware group strikes again. As experts investigate and we learn what attack methods gave the hackers access to so much sensitive data, we need to also consider more effective defenses. It's important to understand that ransomware developers have evolved a very extensive network, built on bitcoin currency, offering guarantees to customers on the quality of the data they have stolen from corporate customers, even offering a refund if the data is unusable. Having that level of confidence in black market data is what gives CIOs, CTOs, CISOs—heck, any data security professional—nightmares."
Ralph Pisani, president of Exabeam, calls for enhanced attention to behavioral anomalies:
"Ransomware remains a security Achilles heel. Understanding ‘normal’ versus ‘abnormal’ behavior sheds light on the presence of ransomware and its precursor problems, yet far too few organizations are able to see the canary in the coal mine.
"However, organizations that work to understand the cycle of compromise, taking the time to understand normal behavior, will uncover the intrusion as abnormal before it strikes. If organizations are serious about ransomware, they must up level their capability to manage intrusions; a leading method is the adoption of behavioral analytics to detect behavioral deviation and spot malicious activity at far earlier stages of an attack.
"Since ransomware is the product of earlier undetected intrusions, the window of opportunity for disruption and removal is small. Commodity security tools require too many static rules, generate far too many false positives, and do more harm than good. Organizations without advanced analytics will struggle getting ahead and are extremely vulnerable to the negative outcomes of ransomware.”
Quentin Rhoads-Herrera, Director of Professional Services at CRITICALSTART, also sees that criminal organizations' talk about their rules, their restraint, and their good intentions is so much chin music:
“Just like any other criminal organization, BlackMatter can not be trusted to follow even their own rules. While they claim they do not attack critical infrastructure they also don’t categorize NEW Cooperative as critical infrastructure, ensuring them they will only incur financial losses not a risk to life and limb.
"Since NEW Cooperative knows the KeePass data has been stolen they need to move on locking out accounts and creating new ones with complex passwords and multi factor authentication. They also need to work with a firm to conduct incident response activities such as triage to remove any remnants of the attackers while also looking for “patient 0”. Understanding the full scope of potential damage that could happen if the data were to be leaked is top priority to start proactively looking at ways to mitigate. Looking forward, critical infrastructure such as backups, source code repositories, and other “crown jewels” need to be heavily monitored and protected from now on to make sure they can recover data if need be and prevent this type of attack from happening in the future if possible
"In terms of negotiations, if NEW Cooperative is going to look at paying for recovery they need to make sure that the group can actually recover their data before issuing any payments. While unlikely, they should also see if the group will disclose items such as how they got the access initially and how they got the data off the network. Finally, the should make sure they have some form of evidence that the data taken off the network is destroyed.
"We are dealing with criminals who cannot be trusted and who operate with a low moral code. If it is possible to recover and remove the attackers from the infrastructure, that would be ideal. Working with the FBI, CISA, and other government agencies can help guide such decisions in these situations.”
Grant Geyer, Chief Information Security Officer and Chief Product Officer at Claroty, agrees. Criminals should be assumed to be faithless:
"It should come as no surprise that taking a cybercriminal at their word is not wise. But whether or not this specific group is going against their word, the fact remains that critical infrastructure organizations are still a lucrative target for many other malicious actors out there. These organizations still need to shore up their defenses as much as possible."
It may not be terrorism, but an attack on the agricultural sector seems to come close. Nick Cappi, Cyber Vice President, Portfolio Strategy and Enablement at Hexagon, wrote that:
"Quasi-terrorism is still terrorism, and we need to treat it as such. Holding an entire organization (and the livelihoods of the employees) hostage shouldn’t be viewed any lesser than any other form of terrorism. No one knows when the next cyber-attack is going to happen or what unknown (or unmitigated) vulnerabilities they are going to exploit. As an industry, we can’t think we are going to drive down risk to an acceptable level by purely looking at reducing the probability of an attack.
"We must start focusing on reducing the consequence of an attack, OT resiliency, specifically Mean Time to Recovery (MTTR). Recent events prove OT resiliency and MTTR is a gap in our security strategy. OT resiliency will give us the ability to recover from events like this timely, and without paying the ransom. If ransomware isn’t a profit center because customers can recover on their own with little business impact, events like this might just go away on their own."
Claroty's Geyer offers additional perspective from the industrial cybersecurity subsector. He cautions that the incident doesn't necessarily mean that NEW Cooperative's OT systems were compromised:
"Possibly but not necessarily. When an organization gets hit with ransomware, they recognize that they can’t demonstrate positive control over their IT environment. It’s therefore a natural reaction to shut down operations, as you don’t know how deeply or broadly the hackers have infiltrated."
The attack also suggests how vulnerable sections of the US infrastructure are, and what steps companies in the agricultural sector (and organizations in the Government) can take to protect the food supply from disruption. Geyer, again:
"This attack demonstrates just how deeply and broadly the U.S. economy and supply chain is interconnected. Ransomware gangs feed on the psychological impact of putting businesses integral to the supply chain between a rock and a hard place, in order to make the choice to pay the ransom the easiest path forward."
"To protect themselves, any company involved in the food supply chain should ensure that they have complete visibility into all of their systems and processes and make sure to continuously monitor for any threats that could result from a targeted or opportunistic attack. An accurate asset inventory is the first step toward proper vulnerability management to ensure critical systems are up to current patching levels and compensating controls are in place when appropriate.
"Network segmentation is also a critical strategy to impede attackers’ lateral network movement. OT networks are no longer air-gapped and network segmentation compensates for this by preventing attackers from using stolen credentials or compromising Active Directory and other identity infrastructure in order to move from system to system stealing data and-or dropping malware or exploits.
"Strategically, organizations should regularly test incident response plans, and conduct tabletop exercises to put those plans into motion without impacting production environments. Training and testing improve response and ensures business continuity."
"The economic consequences to individual companies are so potentially devastating that the financial calculus will always be tipped towards paying the ransom. For example, in 2019 the city of Baltimore suffered $18 million in losses by deciding not to pay the ransom, which would have only cost only $76,000 at the time. That’s exactly why the U.S. government is taking executive and legislative action to create a system of incentives and disincentives to drive mandatory breach notification."
Treasury sanctions sections of the ransomware ecosystem.
There have been some US moves against the infrastructure that supports the ransomware underworld. The US Treasury Department this morning announced that it was taking steps to disrupt the financial structures that sustain the ransomware criminal economy. Cryptocurrency exchanges engaged in money laundering and processing ransom payments are being singled out for special attention. The first of those to come under sanction is SUEX.
Treasury explained the implications of its move against SUEX:
"As a result of today’s designation, all property and interests in property of the designated target that are subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them. Additionally, any entities 50% or more owned by one or more designated persons are also blocked. In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action. Today’s action against SUEX does not implicate a sanctions nexus to any particular Ransomware-as-a-Service (RaaS) or variant."
General US policy with respect to such ransomware sanctions was also outlined this morning. As Treasury notes, most cryptocurrency exchanges and transactions are "licit"—they're going after the ones engaged in specifically criminal conduct. The Treasury announcement also details collaborative enforcement actions it’s taking in conjunction with international partners, notably the G7.
Neil Jones, cybersecurity evangelist at Egnyte, welcomes the news, and wishes confusion to the alt-coin industry's bad apples:
“This is outstanding news for global companies that face growing numbers of ever-more-complex ransomware attacks, particularly new cyberattacks techniques that combine ransomware, data exfiltration and Distributed Denial of Service (DDoS), to perpetrate 'triple extortion' attacks on vulnerable organizations. For several decades, financial transfers by criminal entities that leverage traditional payment methods such as wire transfers and large cash deposits have been illegal, and have been monitored very closely by the US government. Unfortunately, that oversight drove cybercriminals to cryptocurrency payment platforms, which have occasionally served as safe havens for their nefarious ransom payments. Finally, I agree with the US Treasury Department that most cryptocurrency transactions are legal and legitimate, so it's promising to see that the industry's 'bad apples' will be identified and sanctioned.”
Danny Lopez, CEO of Glasswall, also generally welcomes the development, but sees difficulty ahead for attempts to disrupt the ransomware economy:
“The latest sanctions from the U.S. Treasury Department aimed at disrupting the financial supply chain for cryptocurrency-based ransomware payments are a welcome development -- but unfortunately they are unlikely to slow down what is an ever growing wave of ransomware attacks. The reason cryptocurrency is favoured by criminals is because it is difficult - though not impossible - to track. Bad actors are simply looking for the path of least resistance with the greatest reward. Sanctions like these are positive but at this stage they will not deter attackers, who can still easily use different exchanges or payment methods.
To truly combat these malicious actors and minimise successful ransomware attacks, it is critical that organisations address the source and prevent them (rather than react). Ransomware attacks demonstrate that a traditional castle-and-moat approach to network security leaves organisations exposed. Zero trust security sees the world differently and is the approach that needs to be adopted. It means that no one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers it is crucial to strengthen all processes relating to access verification. Without a zero trust approach, organisations run the risk of attackers having a free reign across a network once they are inside.”
And Alex Pezold, CEO of TokenEx, sees an adversary that learns and adapts:
"As made clear by these sanctions, cybercriminals continue to evolve and find new ways to compromise and exploit consumer data. The decentralized nature of cryptocurrencies can make them harder to trace, which only encourages bad actors to operate more brazenly and aggressively.
"Because of this, ransomware attacks and other attempts to breach data stores are growing more frequent and damaging. To address these concerns, every organization must have a plan for what data to protect, and how to build resiliency into company systems so they can 'reboot' when necessary. Without a detailed strategy for defending against these types of attacks, organizations will be especially susceptible to them."