At a glance.
- Ransomware group claims responsibility for MSU cyberattack.
- Ex Uber CSO sentenced for data breach cover-up.
- Capita confirms data exposed in recent attack.
- Extortionists use compromised university systems to communicate with victims.
Ransomware group claims responsibility for MSU cyberattack.
Last month US higher ed institution Montana State University (MSU) notified the school community it had suffered a system outage as the result of a cyberattack, but at the time details regarding the incident were scarce. MSU secured the network and asked faculty and students to reset their passwords, advising them to avoid using MSU-owned devices or internet networks while administrators worked to restore the impacted systems. Now JDSupra reports that the Royal ransomware group added MSU to its list of breach victims on the gang’s leak site. The cybercriminals have not yet posted any evidence of the breach or exfiltration of data, and none of the school’s communications thus far indicate a ransomware attack.
Ex Uber CSO sentenced for data breach cover-up.
Joe Sullivan, former security chief at ride-sharing company Uber, has been sentenced to three years of probation for his involvement in the coverup of a 2016 data breach. As Security Week explains, Sullivan was accused of obstructing the US Federal Trade Commission’s investigation into a data breach Uber experienced in 2014. It was while that incident was being investigated in 2016 that Sullivan decided not to disclose a newer breach that was even larger than the first. In this second incident, the data of over 50 million Uber users and drivers were stolen, and the hackers extorted the company, receiving $100,000 through Uber’s bug bounty program. Sullivan allegedly instructed the attackers to sign non-disclosure agreements to keep silent about the stolen data. It wasn’t until a year later, when the company brought on a new CEO, that Sullivan’s actions were discovered. As the Washington Post reports, Sullivan became the first corporate executive to be convicted of crimes related to a data breach carried out by external hackers when he was found guilty of obstruction of justice and hiding a felony. While prosecutors pushed for Sullivan to be sent to prison for fifteen months, US District Judge William Orrick decided on just probation and community service, noting Sullivan’s past record for protecting individuals from previous breaches and the actions he took to prevent the stolen data from being released. The landmark case drew attention from industry experts, and the Cybersecurity and Infrastructure Security Agency’s former chief of staff at Kiersten Todt warned the judge that his verdict could “make it impossible to recruit smart people into the roles of CISOs and CSOs if imprisonment is on the table — and will set the industry back.” However, Orrick responded that Sullivan’s attempts to deceive the federal government could not go unpunished. Before sentencing, Sullivan spoke before the judge, stating, “I was a bad role model. We’re there to be the champion of the customer, and I failed in this case.”
(Added, 3:30 PM ET, May 7th, 2023. Roger Grimes, data-driven defense evangelist at KnowBe4, sees the proceedings and sentence as a cautionary lesson about transparency. "I believe that radical transparency benefits almost everyone in every scenario, including data breaches. Thank goodness that we have more and more data breach and privacy laws which require more and more organizations to report breaches in a timely manner so all stakeholders are informed and can prepare if needed. With that said, Sullivan is far from alone in covering up data breaches. Back when he did it, it was fairly common. It still is, but not so much since Sullivan was made a primary example of what not to do. He was an example that instantly transformed many C-levels from thinking that breaches should be covered up to the best of your ability, to timely, reported events. The threat of jail time tends to clear the senses that way."
Avishai Avivi, CISO at SafeBreach, finds the sentence "balanced and appropriate." He wrote:
“As with most CISOs, I was waiting to see District Judge William Orrick's sentencing of Joe Sullivan. I think that considering the guilty verdict, Judge Orrick's sentencing of Joe to three years probation and 200 community service hours, was well balanced and appropriate. Judge Orrick took into consideration the many letters in support of Mr. Sullivan's long-term contribution to the public and the information security field in particular. Judge Orrick did note that the former Uber CEO Travis Kalanick was "just as culpable" as Joe Sullivan. While I understand some may be disappointed that Mr. Sullivan avoided jail time, Judge Orrick made sure to note that this was that this was an "unusual one-off". Judge Orrick also noted that if he has a similar case in the future, "even if the defendant had the character of Pope Francis, they would be going to prison" -- sending a clear message to the CISO and business community, and confirming to the Justice department that this was a one-off leniency.
"This is a good time to reaffirm the central role CISOs play in companies, and that the “cybersecurity buck stops with them”. One of the most important things the CISO can do is to create and put in-place a contingency plan before they get breached, to minimize the financial and operational fallout when they do. But such a plan will only be successful if it has been created, vetted, and rehearsed well in advance with the executive team, legal, and the board.
"This touches on a final point and that is recognizing that the CISO is a business partner, and that partnership should enable the CISO to avoid having to deal with the ethical dilemma the Joe Sullivan had to face, and ultimately bear the consequences of his choice.”)
Capita confirms data exposed in recent attack.
Capita, a British outsourcing company, has begun notifying its pension clients that some of their data were potentially exposed in a March cyberattack that impacted their internal Microsoft Office 365 applications. The company initially stated last month that there was no evidence that any data had been compromised. However, the ongoing investigation has revealed that some pensions data handled by Capita were likely exfiltrated by the hackers. A company spokesperson told Reuters, "Capita is working closely with specialist advisers and forensic experts in investigating the incident to provide assurance around any potential customer, supplier or colleague data exfiltration." It’s worth noting that the British government is among Capita’s clients, as the company provides IT and tax management services for councils. The full investigation into the incident is expected to be completed in the next two weeks.
Extortionists use compromised university systems to communicate with victims.
Bluefield University has warned its community that the ransomware gang that hit the university's systems has been using compromised communication systems to contact the victims directly. The Record describes how the AvosLocker gang has been working the victims directly.
We heard from several industry experts on this attack. Jon Miller, CEO & Co-founder of the Halcyon, sees this form of communication with victims as an innovation in the world of crime:
"The fact that the AvosLocker operators are communicating directly with the impacted population whose data is at risk and whose daily lives have been disrupted by the attack, is unprecedented. There have been cases of double and triple extortion, in which the attackers reach out to a victim’s clients or partners in an effort to put more pressure on the victim to pay. However, we have not seen a case of an attacker actively communicating and basically lobbying the secondary victims of a ransomware attack in this manner.
"While the disruption to services is always a concern, the real threat is the theft of sensitive, personal, and financial data, that will result in lasting damage. The attack can be remediated, and systems respond, but once the data is in the hands of the threat actors, even if a ransom is paid, there is no guarantee the data will not be exploited in further crimes.
"Ransomware attacks that include the theft of sensitive data will continue unabated until the profit motives for the threat actors are eliminated. This is organized crime we are dealing with; they only care about bringing pain to victims for their own financial gain. To protect themselves and their students, education organizations must seriously reevaluate what kinds of data they collect and store, and for how long. Eliminating the unnecessary storage of sensitive data will make EDU organizations a less attractive target to attackers and help reduce overall risk.
"Ransomware groups continue to victimize the education sector simply because they are easy targets. CISA recently warned about the growing risk to the education sector from ransomware attacks, noting that some gangs disproportionately target the education sector. CISA released updated guidelines for K-12 organizations, but guidelines don’t protect systems and they don’t pay for security boots on the ground. The education sector needs more resources and more skilled personnel, or they will keep being victimized in this manner.”
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, offers some cautionary advice:
"Anytime a ransomware attack or any cybersecurity environment intrusion has occurred you have to assume ALL password logons stored or used during the intrusion's dwell time are compromised. Far too often, most ransomware victims are late to change passwords and very rarely do they change every password they need to. Most change only the network logon passwords for all users and maybe all user's email passwords, but it's not enough. When you have a cyber compromise you have to change ALL passwords! It means every one of them, at least the ones possibly used OR even just stored, during the entire period of time the intrusion was active. This is complicated by the fact that most victims don't know when the attacker first gained initial access, so you just have to assume that all used and stored passwords are compromised and immediately change them after the environment is secure enough that it makes sense to now change them. I think far more victims or potential victims are going to be surprised to learn that their officially defined 'control' or 'admin' channels, which they have indicated in their emergency response plans are the way to communicate response efforts, are also compromised and have to be considered unreliable. This incident indicates that the victim didn't shutdown all necessary access from attacker control. They likely shutdown Internet access or Internet access into their areas of primary concern, but forgot to shutdown attacker access to adjunct services that they may or may not have considered a critical service."
Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, urges that organizations be quick and forthcoming in their disclosures of ransomware attacks. "It is inexcusable for an organization to not fully disclose the damage done in a data breach like this one. Let's hope that Bluefield University is being up-front about what information was taken in the breach, and that hopefully students will not be heavily impacted by the breach. The usual warnings go for the parties that may be affected by this breach, including to stay alert for any phishing attempts, such as email, text, or phone. The bad actors responsible for the breach or that purchase the information stolen in the breach may use the information they already have in an attempt to cheat the users out of additional info."
Rebecca Moody, Head of Data Research at Comparitech, sees the attack as an example of the growing ruthlessness of the ransomware gangs:
"We are seeing an increasing number of organizations avoiding recognition of a ransomware attack or 'playing down' the effects of the attack at first. However, ransomware gangs are becoming ever more ruthless in their negotiations and release of data, forcing organizations to change tack. To suggest there is no evidence of stolen data/identity theft when an attack is first discovered is a little naive. Where possible, ransomware gangs are going to steal data that they can use to intimidate the entity into paying if the entity refuses to pay/is able to decrypt its systems without paying the ransom. So far this year, we have noted 25 confirmed ransomware attacks on US education institutions. In the first four months of 2021, we only noted 15, suggesting a vast increase in attacks across the education sector. The average ransom on education institutions in 2023 is $1.25m."Paul Bischoff, Consumer Privacy Advocate and one of Rebecca Moody's colleagues at Comparitech, hopes the gang is bluffing, although of course it might have the goods it claims to possess. "For Bluefield University's sake, I hope the supposedly stolen data is just a bluff. If it turns out that the university lied to students about the severity of the attack, it could have severe consequences both for students and the university itself. Neither the university nor the hackers specified what data was stolen, so it's difficult to predict any consequences right now."
Brian Higgins, a Comparitech Security Specialist, recalls a similar case in the United Kingdom. "The U.K. tested a similar crisis alert system a few days ago and whilst this incident only affected 900 students, the U.K. one was a nationwide program. I’m fairly sure, however, that it is defended by a multi-layered, comprehensive security framework. The lesson here is that it’s no good just investing in good perimeter defense. Your network hosts a spectrum of services and some are more vulnerable than others. Try to be clever about how you risk-assess and deploy resources so that attackers in your network can’t access everything all at once."