Kaleigh Alessandro (KA): Hi there and welcome to Omega Systems quarterly Cyber Threat update. My name is Kaleigh Alessandro, and I’m joined by my colleague Rick Mutzel, who is Omega’s head of Security and Technology. We are recording this on demand update on December 12th, 2023, and we’re here to talk about some of the recent trends that we’re seeing across the cybersecurity landscape.
So, Rick, I think we should just dive in.
Rick Mutzel (RM): Sure thing.
KA: We have a couple of primary threat trends that we want to cover today. The first of which is the role that end of life software and firmware is playing with security vulnerabilities.
So the way that we’ve structured this is we’ll cover some basic details, offer a few examples and then talk about some best practice guidance as it relates to these trends.
So Rick, let’s start with the basics. Can you tell us a little bit about what it means for a piece of software or firmware to reach end of life or end of support and why that can present some significant security risks?
RM: Sure. End of life or end of support is general guidance from a vendor that a piece of hardware or piece of software is no longer being supported by whichever vendor is producing that piece of hardware or software. So what that means in practice is they will no longer be providing any kind of security patches, bug fixes, or security updates to protect against vulnerabilities.
And so, you know the implications of that are going to be if a vulnerability is found because they’re no longer supporting it, they’ll no longer provide any kind of fixes to go along with that to remediate anything that’s found in the wild.
And you’re kind of stuck where you are with that particular point in time whenever the end of support occurred.
KA: So for me, thinking back, the biggest example of this that I was aware of and that sort of came to mind for me was WannaCry, which was back in 2017, and I believe that was an exploit of Windows XP, which at the time had reached its end of life.
Can you talk a little bit about why maybe that was successful at the time or if there are other recent examples that you’ve come across where you know vulnerabilities are coming into play for this software that’s no longer being supported?
RM: So WannaCry is a is a pretty good example. In this particular case, the EternalBlue exploit that was being utilized by the NSA was stolen by the threat actors known as the Shadow Brokers. And then that started to be utilized in the wild and they were specifically targeting Windows XP machines because Microsoft had taken that operating system to end of life and they wouldn’t be producing anymore patches for that.
So they knew that those were very easy targets because you can quickly identify what is a Windows XP machine and know from a threat actor perspective that there’s no way that there will be any remediation of this. So there would be an ongoing issue no matter what. That’s always going to be compromised for that particular vulnerability, there’s all kinds of vulnerabilities that kind of like in that scenario.
In recent years, Windows Server 2012, same kind of concept with Microsoft end of life-ing that. And so if you’re running an on-premise version of Server 2012, again there will be no more security-related updates, bug fixes, and things along those lines. If you’re perpetually running Windows Server 2012 machine and there’s vulnerabilities found — and there always are – you will not have any ability to get those applied to resolve any of those within your systems.
Other common application and systems can experience the same kind of thing – you might be running old, unsupported versions of Internet Explorer. Citrix and VMware, you know, they’re all following that same kind of cadence where you know at some point a manufacturer has to stop supporting something that they produced 10 years ago to move on to more productive and moving the ladder forward with new versions, making those supported.
And if you’re not keeping up with software agreements with the vendors and you’re not applying those current updates, you’re going to be susceptible on an ongoing basis to those exploits and vulnerabilities.
KA: Think about how many, even if you’re staying on top of it on the corporate side of things, how many home machines are running some of these older applications or operating systems and if they’re trying to access corporate information, there’s probably a lot of software and systems that are getting overlooked for people at home.
RM: Well, there may be very specific reasons why they can update as well. Maybe the hardware doesn’t support the new operating system. Maybe the vendor went out of business and there are no supportability models for any current version, so remediation efforts could vary. It may not be something as simple as just upgrading your version of the OS. It may require a substantial costs in upgrading those if the vendor doesn’t support this anymore. Now we have to move to a whole different platform to remediate, you know, the application that’s running on Windows Server 2012, for example.
KA: And obviously, hackers out there taking advantage of these end of life cycles knowing that there’s going to be a lot more work involved or potentially no options available in terms of remediating those vulnerabilities. So staying on top of those life cycles is not an easy job unless you’re working with an MSP like Omega who’s helping you stay apprised of some of these things.
So what are a few things that businesses need to think about incorporating into their IT and security programs that would help them better protect against some of these end of life vulnerabilities that are popping up?
RM: Just trying to stay ahead of it, being prepared, so having a good IT asset inventory of all your assets and just knowing when those end of life dates are coming up, so you’re not stuck at the last minute trying to perform remediation. Working with somebody to project that out, you know, whatever your budgeting cycles are three year or five year budgeting plans. Especially with like a workstation scenario, we’ll take like Windows 7, Windows XP, upcoming Windows 10 in 2025. Looking at those and saying I have a fleet of 500 assets that are still running Windows 7. You don’t want to get stuck replacing all of those all at the same time, one from a budgetary perspective, and two from a labor perspective, trying to offset every user in my environment all at the last minute, this is going to cause some interruptions there.
So being able to budget and forecast that out with a good lifecycle management policy and that and that goes against having that good inventory to begin with.
Obviously, doing vulnerability scanning internally and externally so you’re aware of what the vulnerabilities are. That will also help identify some of those end of life items that are out there and trying to put a mitigation policy in place. Like I said before, you may not be able to replace that. So what other mitigating controls can we put in place on our network to help reduce the risk of that reoccurring, never going to replace this kind of system in scenario you know we can segment the networks you know not provide external access to those limit ports and services that those machines can get to are all good compensating controls that you can put in place to really reduce the risk of some of those systems.
And again, that just goes back to a more holistic process of managing your attack service across your environment.
KA: And again, taking into account all of those devices and endpoints, in the home, in the office, that you’re traveling with – I think is a good reminder as well.
KA: The other trending topic that we wanted to touch on today as part of our threat update is business email compromise, which we’ve talked about before, is a specific kind of spear-phishing where hackers are posing as key executives – CEO Fraud is a common example – and using that impersonation to compromise or extract sensitive information, in most cases, inducing financial transactions.
KA: Rick, can you talk a little bit about some of the train changing trends you’re seeing lately as it relates to business email compromise?
RM: They’re getting really good.
KA: That’s the takeaway, right?
RM: Business email compromise is probably one of the largest incident response (IR) trends that we’re seeing. And it takes the lowest hanging fruit within your organization, which is the end user and it’s specifically targeting those with very detailed information.
So these spear-phishing campaigns, like I said, are getting very, very good. Before it was very easy to identify these bad language bad punctuation. You can very easily tell somebody copy and pasted something into some kind of language translator, right? So it was very easy to determine that, yeah, this is a phishing email.
With the rise of AI components like ChatGPT, it’s very, very difficult to find these sometimes. So there’s many things that we can do to help prevent those obviously, user awareness training is always a very good first step to go and train the end users on how to identify what some of these are very common tactics.
So if there’s calls to alert or immediate attention needed on something that’s a red flag. But then also moving those outside of just email, we’ve seen an increase in text message phishing (smishing). So having your organization have a policy or awareness of don’t click on links on your phone for text messaging as well. And just being, you know, generally aware that these things are out there and they’re getting better.
KA: Yeah, I think the other thing that seems to be changing are they’re getting more patient, right? We’ve talked about this on the ransomware side of things, is they’re spending more time scoping out networks, lingering, doing some reconnaissance, obviously feeling like there’s more risk versus reward there, right?
I highlighted an example here that I came across recently with a school district, but they’re taking their time, which I think is a trend that we’re seeing as well, right?
RM: Yeah. “Low and slow” is kind of the new tactic. They want to perform proper reconnaissance so that those phishing emails are accurate or they’re intercepting them and replying back with and just changing key details like authentic account number to transfer to.
So being vigilant, watching your tenants for account rules like mail delivery rules, things along those lines having a solution that’s going to trigger an alert. And so if the CEO’s account automatically has a new mail rule put in place that’s moving everything to the RSS feeds folder to try to obfuscate some of those tactics.
And then also you know the last resort is usually going to be the last ditch effort for encrypting everything. So they’ve probably been in your environment for a period of time and after they’ve performed all the reconnaissance, they’ve gotten all the information, they’ve exfiltrated information that they want. Now the last thing left to do now is, you know, do a ransomware attack for encrypting the files and that shows their hand, right. There’s somebody in my environment they’re doing something nefarious, but they probably already been in there and have already gotten everything that they want from your environment prior to that.
KA: In this in this example I highlighted on the slide, it was the COO of a public school district in Connecticut. Hackers gained access his email account, kept an eye on things, looked at the vendors that he was interacting with, then posed as one of those vendors. And ultimately, they realized $6 million in losses. So, you know, pretty hefty for a public school district. And just another example of having some of those best practices and controls in place to mitigate some of these potential threats.
And so you touched on some of these already, but maybe just you know, thinking again about some of the best practices that businesses should be putting in place to avoid these types of serious and costly attacks.
RM: So multi factor authentication (MFA) is always recommended on any service that you have that’s going to be publicly facing with any kind of login. Most people have MFA in place, so now the hackers need to find a way to bypass that. So now there’s session tokens that they’re stealing so then they don’t need the MFA code. They don’t even need your user account and credentials anymore because they have a session cookie that they can move to another computer.
So our recommendation is move to a zero trust security model and that helps prevent that. So if the device is not known to the system, was not trusted, even though you have the username and the password and potentially a session cookie, it still is going to block that login. Zero trust is a big trend.
And we’re urging, as we’re running into those IR events where we’re pushing that more and more, obviously having some kind of solution for alerting. So looking and monitoring actively for the login activities, specifically looking for out-of-the-normal behavior for a user, whether it’s location or times of day that they’re logging in.
And then again, just the last common denominator is building internal controls for the users. So if you get a suspicious email that’s asking you to transfer money, just pick up the phone and call the user. Don’t reply to the existing email. Go walk to their office or give them a phone call out of band of whatever that communication channel is. It could be a text message or email. Go physically talk to somebody if you can and verify the validity of what that request.
KA: Yep, all good reminders.
So just to sort of wrap things up here, 2024 is scarily around the corner. Any predictions in terms of trends and threats that we should expect to see more of next year? What should we be keeping our eyes on?
RM: Ransomware is rearing its head again, and it’s kind of morphed so the traditional “I’m going to just encrypt your environment and hold your data” ransom is no longer paying as much as it used to, so now the trend is there. They’re getting it out of your environment and so you may have regulatory requirements for breach notification, things along those lines. That makes it more valuable for the ransom to get paid.
We’re seeing a trend in actually having pay scales for those ransoms. So here’s a price for us not to leak your information. And then here’s an additional cost if you don’t want us to leak it and you want the decryption key. So we’re seeing that as a trend for a lot of the ransomware groups because not as many people are paying because they do have good disaster recovery and business continuity plans in place.
Another one of the trends is obviously the big buzzword is AI. AI’s everywhere, right? And so we’re seeing now within the United States, and I believe yesterday the EU had to landmark how guidance on proper utilization and kind of putting some guardrails on AI and what the proper and ethical usage of AI is.
So if you plan on using that, or if you aren’t using it, but want to, put something in place for guidance for employees. I would highly recommend thinking about having policies and procedures in place to give that guidance for employees and staff and developers on what is the appropriate usage of AI within your environment. There’s large implications in sending your data off to a third party, so sensitivity. There’s day data leakage potential and again vendor due diligence wherever you’re sending your data. Make sure those vendors you’ve done proper due diligence and make sure they have proper security controls in place.
KA: Everybody gets caught up in the “what can AI add to my operations, my efficiency?” But there’s a lot of risk there. So thinking about how not to use it is equally as important.
Alright. Well, thank you, Rick. That was really helpful and concludes our last quarterly threat update for 2023. Be sure to visit our website and catch up on some of our recent blog articles and thought leadership. And of course, Rick and the rest of our team are here if you have questions or looking for guidance and combating any of these evolving threats
We wish you all a safe and healthy holiday season and we’ll see you next year. Take care.
Explore Omega’s portfolio of managed cybersecurity services to help ensure your business’s controls are built to withstand emerging and evolving cybersecurity threats.