Beyond SolarWinds, Russian Hackers Target Austin, Texas

All cities with critical infrastructure should be worried about cyberattacks.

Edward Gately, Senior News Editor

December 23, 2020

9 Min Read
Cybersecurity Roundup, security roundup
Shutterstock

The massive SolarWinds hack has been grabbing headlines for going on two weeks, but it’s not the only recent attack by reported Russian hackers.

State-sponsored malicious hackers reportedly breached the city network of Austin, Texas. The breach appears to date back to mid-October.

Daniel Trauner is director of security at Axonius. He’s been following the Austin attack and believes that all cities with critical infrastructure should be worried about cyberattacks.

According to the Austin-American Statemen, Austin hasn’t confirmed whether its network was attacked by Russian hackers.

Last week, we reported that bad actors inserted malicious code into SolarWinds‘ Orion software updates sent to nearly 18,000 customers. It existed in updates released between March and June of this year.

Trauner-Daniel_Axonius.jpg

Axonius’ Daniel Trauner

We spoke with Trauner to learn more about the implications of attacks like the one on Austin.

Channel Futures: Does the fact that this was carried out by state-sponsored Russian hackers make this breach unique? If so, why?

Daniel Trauner: Not particularly. A number of major breaches over the last few years involved some level of state-sponsored activity. This does appear to be an infrastructure-focused operation, however, which means that the attackers almost certainly had more specific, complex motivations.

CF: How were these malicious hackers able to pull off this breach?

DT: It’s not entirely clear, though a number of other sources have reported that this breach is not related to the supply-chain attack involving SolarWinds. According to their report, it was also conducted by a different Russian threat actor.

CF: What sort of damage have the Russian hackers caused the city?

DT: The city has seemed to avoid commenting on the impact, though some reports mentioned receiving a message stating that there had been no loss of “personal information.” This isn’t revealing much.

CF: Why should all cities with critical centralized infrastructure be worried about potential cyberattacks?

DT: Unlike your smartphone, most industrial control and related systems won’t regularly bother you to install software updates. The code deployed to these systems is often designed to be updated every few years at best. And in some cases, it may not ever be updated unless there’s an emergency or if the hardware is being replaced, too. While the standards for the development of such software may be higher or designed to maximize safety in the event of failure, no complex software is unhackable. The fact that you may have much older software running on certain infrastructure is a natural weak point.

CF: What actions can cities take to better prevent or at least minimize the damage from cyberattacks?

DT: Understand what infrastructure you have. And ensure that you have up-to-date information about as many properties as you can for these assets. Make sure that if there have been critical software or hardware advisories put out by the manufacturers, that you’re aware of the guidance they’re providing and plan to take action if required. And as with any good security operations practice, ensure you have a centralized logging solution that you actually monitor and alert on. And have a formal/documented incident response procedure for investigating and responding to alerts.

CF: Can MSSPs and other cybersecurity providers help these cities be prepared? If so, how?

DT: In line with the above advice, ensuring that you have a deep understanding of your asset landscape – not only the devices and users in your systems themselves, but their relationship to one another – is often the most difficult part of the process. Past that, strong observability in the form of logging, monitoring and alerting, as well as a formal incident response procedure, will help you react quickly and effectively in the event that something goes wrong.

Record Rise in Ransomware Attacks in Q3

Positive Technologies‘ third quarter cyber threatscape research report showed a massive increase in ransomware attacks, accounting for more than half of all malware attacks.

Cybercriminals increasingly are targeting the health care industry. In particular, attackers have begun …

… exploiting global interest in a COVID-19 vaccine.

The report shows a slowdown in the explosive growth in attacks seen during the first two quarters of the year as the pandemic picked up steam. Additionally, the number of targeted attacks remained stubbornly high, growing from 63% in the second quarter to 70% in the third quarter.

Social engineering has become relatively less common since the start of the year, according to Positive Technologies. It fell from 67% of attacks against organizations in the first quarter to just 45% in the third.

Yana Yurakova is a Positive Technologies analyst.

Yurakova-Yana_Positive-Technologies.jpg

Positive Technologies’ Yana Yurakova

“We believe that another interesting feature of this quarter is the increased use of hacking as a method of attacking companies,” she said. “This tactic jumped by 12 percentage points.”

Early in the pandemic, companies hurriedly created processes to enable a remote workforce. This meant bringing more services to the perimeter. This created vulnerabilities.

In addition, systems that organize remote work are themselves subject to known vulnerabilities.

Most surprising is the “callousness” of malicious hackers toward medical workers, Yurakova said.

“Doctors saving lives now need stability more than ever — constant access to information and medical equipment to processing test results,” she said. “Hackers who had promised not to launch attacks on this critical sector instead pursued profit and took a human toll.”

Social engineering attacks have dropped due to “consumers gradually becoming accustomed to the new reality, where the subject of COVID-19 no longer has the same effect,” Yurakova said.

“Criminals keep searching for vulnerabilities in services on the perimeter of corporate systems,” she said. “In this environment, with a pandemic raging and the growth of a remote workforce, many companies have made more services available on the perimeter for the first time. That’s understandable, but a lack of accompanying protection gives hackers more opportunities to do what they do.”

Even low-skilled hackers can search for common vulnerabilities at the perimeter of companies, Yurakova said. And they can sell the access they gain to other criminals willing to go further.

“For companies in the field of information security, the identified trends certainly open up new opportunities,” she said. “They can help companies organize a vulnerability management process and check perimeter security, perhaps with service inventory and penetration testing. All this will minimize the likelihood of hacking attacks and prevent bad news by eliminating weaknesses.”

NSA Warns of Hackers Forging Cloud Authentication Information

The U.S. National Security Agency (NSA) has issued an advisory about threat actors looking to access resources in the cloud by forging authentication information.

The agency provided Microsoft Azure administrators guidance to detect and protect against these threat actors. NSA released the guidance “in response to ongoing cybersecurity events.” That refers to the SolarWinds hack that targeted private and government organizations in at least seven countries.

Brendan O’Connor is CEO and co-founder of AppOmni.

OConnor-Brendan_AppOmni.jpg

AppOmni’s Brendan O’Connor

“Risk of third-party applications has always been a concern for security teams,” he said. “The SolarWinds breach is an example of a third-party application inserting a vulnerability into an otherwise secure infrastructure. While the SolarWinds breach occurred in an on-premises environment, third-party apps can also create vulnerabilities in SaaS environments.”

AppOmni’s data shows that, on average, there are more than 42 distinct third-party applications connecting into live SaaS environments within an enterprise. About half of these applications were connected directly by end users, not installed by IT administrators. The typical enterprise has an average of 900 user-to-application connections. This represents hundreds of third-party connections to the data stored in the SaaS environment.

Of those 42 third-party apps, an average of 22 have not been used in the last six months, O’Connor said. And yet they retain the ability to …

… access data via these connections.

“These inactive applications often represent a trial usage that was abandoned from a user’s perspective, or applications where the business contract may have expired but the vendor access was not removed,” he said. “These application connections remain authorized until that access has been revoked.”

Individual users frequently approve third-party connections without any security oversight, O’Connor said. These applications provide pathways into an organization’s most sensitive data. These cloud-to-cloud connections exist outside the firewall and cannot be detected by traditional scanning and monitoring tools.

“We’ve known this is a problem for quite some time,” he said. “Looking back at the Apollo breach, we saw the compromise of a third-party app as the stepping stone to dumping 200 million contacts from a major SaaS application.”

Cloud applications are one of the biggest blind spots, O’Connor said.

“This year we have seen a huge increase in cloud adoption driven by the pandemic and work from home,” he said. “Existing investments in security technologies that focus on the network or the endpoint cannot help us with this challenge. It’s not that our premises tools have failed, the data has moved where they can’t see it.”

Successful organizations will have a process for continuously scanning and monitoring their cloud applications, and a review and approval program for third-party connections.

StrikeForce First Security Company to Launch Video Conferencing

StrikeForce Technologies is rolling out SafeVchat, the first video conferencing platform developed by a cybersecurity company.

SafeVchat leverages StrikeForce’s authentication and keystroke protection technology. That makes it the only platform of its kind that incorporates a proprietary meeting authorization and two-factor authentication for every meeting participant.

Additionally, SafeVchat Premium includes protection for the camera, microphone, speakers, keyboard and clipboard. It also prevents unwanted screenshots with PrivacyLok.

George Waller is StrikeForce‘s executive vice president and co-founder.

Waller-George_StrikeForce.jpg

StrikeForce’s George Waller

“Every existing platform claims to have strong security features,” he said. “But time and time again they’ve proven to be vulnerable.”

SafeVchat offers a “tremendous” opportunity for StrikeForce’s partners, Waller said.

“Prior to COVID-19, the video conferencing marketplace was expected to grow from $2.6 billion in 2019 to around $6.6 billion by the end of 2025,” he said. “When COVID-19 hit and the world changed, video conferencing is now part of the new normal.”

The market should now reach $50 billion in the same time frame.

“This explosive growth has also created a focal point for hackers looking to steal data,” Waller said. “That’s why the FBI and Department of Justice alerted the public about hackers going after video conference users.”

Video conferencing platforms are now used to share health care data, financial data, employee and corporate data, and more.

“It’s for these reasons why companies are running away from many of these big-name, no-security video conferencing platforms,” Waller said. “They are not cybersecurity people; they are video conferencing providers. StrikeForce is at the convergence point of cybersecurity and video conferencing.”

Since announcing SafeVChat, more than 300 companies have reached out wanting to use the system, he said. Every one of those opportunities went to StrikeForce partners.

Read more about:

MSPs

About the Author

Edward Gately

Senior News Editor, Channel Futures

As senior news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like