At a glance.
- Hatch Bank breach could be a lesson for regulators and lawmakers.
- In defense of TikTok.
Hatch Bank breach could be a lesson for regulators and lawmakers.
The Cl0p ransomware gang has taken responsibility for an attack on Hatch Bank, a banking platform that provides credit card support for fintech companies. As TechCrunch explains, the hackers exploited a zero-day vulnerability in the Fortra GoAnywhere file-transfer software, giving them access to the data of thousands of customers, including Social Security numbers. Fortra first learned of the bug on January 29th and published a vendor notice on February 1, but only on their private website and behind a login. The flaw was not shared with the general public until February 2, when security journalist Brian Krebs posted an alert on social media platform Mastodon, and it wasn’t until the 3rd that Fortra finally sent out a notice to customers. Fortra finally released a patch for the bug on February 7 and the bug was added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerability Catalog on February 10. The delay in Fortra’s response, though small, demonstrates how vendors are effectively left to their own devices when it comes to cyber incident notification. Though Hatch is only the second known victim of the bug (US healthcare provider Community Health Systems being the first) Clop claims to have used the vulnerability to hack over one hundred thirty organizations over the course of ten days. Indeed, a Shodan report shows there are at least that many vulnerable servers directly exposed to the Internet as a result of the bug. It begs the question, if Fortra had acted sooner, could some of the victims have been spared? Experts say the incident could serve as evidence of the need for federal regulation regarding incident notification.
Roger Grimes, data-driven defense evangelist at KnowBe4, thinks that there have been missteps in the handling of this incident that might well be addressed in law or policy. "It is absolutely unreasonable for any vendor to put a security vulnerability notice in a non-public area. What's next, paywalls?" he asks, rhetorically. He describes the sequence of events that typically surround disclosure:
"Ignoring Fortra's initial private disclosure, this example shows the good and bad of existing, state-of-the-art, widescale, vulnerability disclosure. Fortra is aware of the vulnerability on Jan. 29th, likely because some exploited customer or data protection vendor notices the 0-day hack and notifies Forta. Fortra publishes the first vendor notice on Feb.1st., on their private website, but doesn't say the exploit is being publicly used already (although this is likely). Within days, more Fortra customers have been exploited using the vulnerability. Brian Krebs alerts everyone on Mastodon about the vulnerability on Feb. 2nd. Fortra proactively warns customers on Feb. 3rd. While we would prefer that any vendor notify all impacted customers right away, a few days delay (Jan. 29th, a Sunday to Feb. 1st first notice) isn't a huge red flag as the vendor tries to figure out exactly what is happening, how, who is impacted, and what to communicate, etc.. Not a super timely response, but not the worst response ever.
"Rapid7 writes about it on Feb. 3rd (https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability). The vulnerability gets published to the NIST National Vulnerability Database on Feb. 6th (https://nvd.nist.gov/vuln/detail/CVE-2023-0669), same day as Rapid7 writes a detailed report about it. By then, someone has run a Shodan report showing that there are at least 135 vulnerable servers directly exposed to the Internet. On Feb. 7th, Fortra releases a patch. Before that, Fortra didn't have a patch, but recommended customers implement several mitigations. It gets added to CISA's Known Exploited Vulnerability Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) on Feb. 10th, as an exploit that is being used by hackers to exploit real-world targets, which needs to be patched ASAP.
"By then, potentially more than a 100 customers have been exploited. The Russian-affiliated Clop ransomware gang unsubstantiated claims (https://www.bleepingcomputer.com/news/security/clop-ransomware-claims-it-breached-130-orgs-using-goanywhere-zero-day/) they have exploited over 130 victims in 10 days. It's probably not the exact same list as Shodan showed as the ransomware gang says they used each victim as a jumping off point to other victims.
"The lingering question is how many other vulnerable Fortra servers are out there, still not patched or mitigated. So, from the time the vendor was aware until the exploit is published in national databases is 1-2 weeks. Perfect would be a patch pushed out to all customers before they wake up on Day 2 of the vulnerability being discovered. Instead, in the real world, it takes longer. How much longer...1-2 weeks. And in that time, someone's exploiting the vulnerability.
"What we need is a national law allowing vendors (or forcing them) to push patches or mitigations to registered customers as soon as possible after the discovery. Time is of the essence. We don't need to factor in all the other time waiting for customers to be notified, waiting for national databases to be updated, etc. What we have today, 1-2 weeks, that's really great, especially compared to history where it often took many weeks to months to get patches pushed out. A national or global auto-patch functionality would be even better. A law is needed to protect vendors against any operational downtime resulting from the proactive, forced patch. Doing so would minimize risk and best protect more customers.”
In defense of TikTok.
TikTok bans are spreading like wildfire, with a US House panel this week advancing a bill that could allow President Joe Biden to prohibit even private use of the Chinese-owned social media platform. Government officials say TikTok, owned by Beijing company ByteDance, poses a risk to nation security, as it could give the Chinese government access to masses of US user data and could be used to spread disinformation. However, several civil liberties and digital rights groups have started voicing their opposition to blacklisting the app. On Tuesday, the American Civil Liberties Union (ACLU) launched a petition urging lawmakers to drop the ban, saying it “would violate the First Amendment rights of millions of Americans who use the app to express themselves daily.” Ramya Krishnan, a staff attorney at the Knight First Amendment Institute, told the Washington Post, “A ban on TikTok…would be like banning a newspaper or TV channel, but worse…It would shut down a channel of communication that tens of millions of Americans use to share information and ideas every day.”
Indeed, when the Trump administration first attempted to ban the platform, the courts repeatedly put up roadblocks due to the potential violation of the First Amendment. Proponents of the ban also note that a TikTok ban would not be necessary if lawmakers would pass more stringent federal privacy rules governing all companies. Digital rights group Fight for the Future, which has posted its own petition opposing the ban, argues, “Yes, it’s worrying that the Chinese government could access the data that TikTok collects. But TikTok’s just one head of the hydra…We don’t need more hyperventilating about TikTok: we need strong privacy and transparency laws, and antitrust action to break up the companies getting rich off their data empires.” And other free speech advocates have noted that a TikTok ban would seem hypocritical of the US when it actively calls out foreign governments that impose state censorship over the internet or conduct mass surveillance. House Democrats have also expressed their dismay over the passage of the aforementioned bill. Commerce Secretary Gina Raimondo stated on Wednesday that “passing a law to ban a single company is not the way to deal with this issue. This is America.”