4t-10-2020 virtual ppt; wetzel cyberware and ranso

Cyberwars: Attacks and Counterattacks (i.e., Response and Prevention)

4

Presented by Nora E. WetzelLeague of California CitiesOctober 16, 2020

www.bwslaw.com 5

Nora is a commercial litigation attorney in Burke’s San

Francisco office with a focus in data privacy matters. Nora

has been designated as a Certified Information Privacy

Professional, United States (CIPP/US) by the International

Association of Privacy Professionals (IAPP).

Nora E. Wetzel

www.bwslaw.com

Introduction

6

This presentation will identify forms of attack, such as ransomware, malware, phishing, and

business email compromise, as well as inadvertent exposure through loss of paperwork, sending

data to the incorrect recipient, and loss of encrypted or un-encrypted devices.

www.bwslaw.com 7

Email Phishing CampaignsRemote Desktop Protocol Vulnerabilities

Software Vulnerabilities

Overview of cyber incidents in the public sector

www.bwslaw.com

Other methods of Cyber Attacks

8

01 Advanced Persistent Threats

02 Denial of Service (DOS) Attacks

03 Insider Attacks

04 Malware

05 Password Attacks

06 Man in the Middle(MITM) Attacks

We Learn From The Best

In 2020, bad actors have made use of the

Covid 19 pandemic to deploy cyber-attacks.

www.bwslaw.com

Bad actors are sending out spam attacks based on Covid-19

a sextortion scheme threatening to infect the recipient’s family with Covid

19 if the recipient does not pay the amount demanded

a fundraising request purporting to be from the World Health Organizing

(WHO) requesting donations in Bitcoin to fund Covid 19 research

messages purportedly coming from WHO but including documents with

malware

www.bwslaw.com

FBI Warnings

10

01

02

03

04

05

06

07

An e-mail from an unknown party and, many times, will be written in broken English with grammatical errors

The recipient is accused of visiting adult websites, cheating on a spouse, or being involved in other compromising situations

The e-mail or letter threatens to send a video or other compromising information to family, friends, coworkers, or social network contacts if a ransom is not paid

The recipient's personal information is noted in the e-mail or letter to add a higher degree of intimidation to the scam. For example, the recipient's user name or password is provided at the beginning of the e-mail or letter

The e-mail or letter includes a statement like, "I had a serious spyware and adware infect your computer," or "I have a recorded video of you" as an explanation of how the information was allegedly gathered

The e-mail or letter provides a short window to pay, typically 48 hours

The recipient is instructed to pay the ransom in Bitcoin

11

In 2019, cyber-attacks cost entities $3.5 billion in losses

FBI 2019 Internet Crime Report

12

• The Bogus Invoice Scheme

• CEO Fraud

• Account Compromise

• Attorney Impersonation

• Data Theft

an increase in BEC attacks to divert payroll funds

Business Email Compromise

A BEC attack begins with a cybercriminal hacking and spoofing emails to impersonate your company's supervisors, CEO, or vendors.

www.bwslaw.com

Tech SupportFraud

• Criminal claiming to provide technical support or service in an effort to defraud unwitting individuals

• May pose as support or service representatives offering to resolve such issues as a compromised e-mail or bank account

• Recent examples included attackers posing as customer support for travel industry companies, financial institutions, or virtual currency exchanges

14

“CALIFORNIA WAS THE STATE WITH THE MOST VICTIMS AND HIGHEST

LOSSES CAUSED BY CYBER ATTACKS”

8 Types of Cyber Attacks Small to Medium-Sized Businesses Face

www.bwslaw.com 15

Ransomware

In 2019, 205,280 organizations submitted files that had been hacked in a ransomware attack — a 41 percent increase from the year before

Cyber Insurance

Some businesses and city governments are taking out insurance to be ready for ransomware demands

EXAMPLES OF CYBER ATTACKS ON CITIES

16

Hartford, Connecticut Attacked in early September 2020 by ransomware that affected 200 of the city’s servers, including those used by the school system, the police department, and emergency dispatchers. According to the city, it quickly shut down servers and froze its technology systems. It continued to run all the city’s first responder systems, though reopening of its school system was delayed, and the city did not have to pay a ransom to regain access to its servers, though the city did not explain how it was able to avoid doing so.

17

Lafayette, Colorado Suffered a cyber attack in late July 2020, which resulted in disrupting the city’s phone, email, online payment, and reservations systems. Ransomware called “Snatch” infiltrated the city’s computer network through a phishing or brute force attack and started locking down computer files. This type of ransomware typically uses remote desktop protocol, brute force methods, and/or take advantage of an unplugged hole in a computer network. The city paid a $45,000 ransom to unlock its data

18

Florence, AlabamaExperienced a ransomware attack in June 2020 that shut down the city’s email system, and the city decided to pay over $250,000 from the city’s insurance fund to recover data encrypted in the attack, though the city was able to negotiate down the ransom demand from the initial amount of $378,000

19

Torrance, CAAttacked in March 2020 when its computer systems were compromised, interrupting the functioning of its email accounts and servers. City documents including city budget financials, various accounting documents, document scans, and an archive of documents belonging to the City Manager were leaked to the dark web. The hackers claiming responsibility, DoppelPaymer operators, stated that they erased the City's local backups and then encrypted approximately 150 servers and 500 workstations. The hackers demanded a 100 bitcoin ($689,147) ransom for a decryptor, to take down files that have been publicly leaked, and to not release more stolen files

20

Durham, North CarolinaThe City and County of Durham, North Carolina was struck with ransomware Ryuk in March 2020, which was thought to be the same one responsible for the 2019 New Orleans attack noted below. This attack was actually two separate attacks, and though they were detected and contained, they caused most city networks and phones to remain offline during the recovery process, and resulted in 80 servers needing to be rebuilt and 1,000 compromised computers to be reimaged

21

North Miami Beach Police DepartmentNorth Miami Beach Police Department was hit with a ransomware attack in February 2020 demanding $5 million to get the department’s information back

22

Colonie, New YorkSuffered a cyber attack in January 2020. Though it could not determine how the ransomware infected its systems, the city had reliable backups that allowed it to continue operation without having to pay the $400,000 bitcoin ransom demanded to retrieve the files the ransomware unlocked

23

Las Vegas, Nevadasuffered a cyber-attack on January 7, 2020. The city commented that it was likely bad actors gained access to the city’s network via a malicious email. The city had taken a public position not to pay a ransom back in July, though it is unclear if the attack involved ransomware. The city reportedly caught the attack early and claims that it does not believe any data was lost or taken

24

New Orleans, LouisianaNew Orleans fell victim to a cyberattack in December 2019. It detected suspicious activity on the City’s network, investigated and discovered there was a ransomware attack affecting roughly 4,000 City computers. The city’s IT department ordered all employees to power down computers and disconnect from Wi-Fi. All city servers were also powered down, and employees told to unplug any of their devices. The city had cyber insurance and expected it to cover nearly $1,000,000 in costs the city has incurred since the onset of the attack, though it did not cover the costs of paying a ransom

25

Pensacola, FloridaWas hit by a cyberattack in December 2019, affecting city email and landlines, a customer service line, and online bill payments for energy and sanitation. As a result of the incident, staff disconnected computers from the city’s network until the issue could be resolved. Pensacola did not reveal any further information about how the cyberattack first occurred, what type of personal data was breached, or whether the attack stemmed from malware or ransomware

26

San Marcos, CaliforniaWas targeted in October 2019 by a suspected cyber attacker. San Marcos’s email system used by city employees was affected, leaving employees unable to communicate with some of the public. Employees discovered the problems, and the city manager confirmed the city was victim of a suspected hacking.

27

Baltimore, MarylandBaltimore fell victim to ransomware known as "RobbinHood" --attacks some experts say involved a tool developed by the National Security Agency. The attack locked the city out of its computer servers for ransom. City systems are reported to be slowly recovering from the attack, which officials said cost Baltimore more than $18 million

28

Atlanta, GeorgiaAtlanta’s computer networks were targeted in March 2018. The hackers demanded $51,000 in Bitcoins, and held the city hostage for nearly a week, while the city refused to pay. Apparently, some city services used hardcopy paper to continue operations. The city reportedly did not want to reward and encourage more ransomware attacks, and considered there was no guarantee that systems would be restored even if it paid. This stance has hit the city hard—costs associated with the attack are estimated to be as high as $17 million. Now, the U.S. Justice Department reports that two Iranian hackers were behind the attack on Atlanta. The two hackers are thought to have developed the SamSam ransomware which is a type of malicious software.

29

22 Texas Cities22 Texas Cities’ computer systems were infiltrated by hackers demanding a ransom. A mayor of one of those cities said the attackers asked for $2.5 million to unlock the files. Officials did not identify which specific cities were affected. The Texas Department of Information Resources stated that the evidence pointed to a single threat actor. A representative for the department reported that he was “not aware" of any of the cities having paid the undisclosed ransom sought by hackers, and disclosed that the impacted locales were mostly rural

www.bwslaw.com

ADDITIONAL ATTACKS AFFECTING GOVERNMENT ENTITIES

30

Hackers for hire suspected of operating on behalf of the Iranian government were found to have been working to gain access to sensitive information held by North American and Israeli entities across a range of sectors, including technology, government, defense, and healthcare

August 2020

An Iranian hacking group was found to be targeting major U.S. companies and government agencies by exploiting recently disclosed vulnerabilities in high-

end network equipment to create backdoors for other groups to use

August 2020

www.bwslaw.com 31

The U.S. Defense Information Systems Agency announced it had suffered a data breach exposing the personal information of an unspecified number of individuals.

February 2020

The FBI announced that nation state hackers had breached the networks of two U.S. municipalities in 2019, exfiltrating user information and establishing

backdoor access for future compromise

January 2020


www.bwslaw.com 32

A Chinese state-sponsored hacking group attacked government entities and managed service providers by bypassing two-factor authentication used by their targets

December 2019

Unknown hackers stole login credentials from government agencies in 22 nations across North

America, Europe, and Asia

December 2019


www.bwslaw.com 33

An Israeli cybersecurity firm was found to have sold spyware used to target senior government and military officials in at least 20 countries by exploiting a vulnerability in WhatsApp

October 2019

A Chinese state-sponsored hacking group responsible for attacks against three U.S. utility companies in July

2019 was found to have subsequently targeted seventeen others

September 2019

North Korean hackers were revealed to have conducted a phishing campaign over the summer of

2019 that targeted U.S. entities researching the North Korean nuclear program and economic sanctions

against North Korea

September 2019


www.bwslaw.com 34

State-sponsored Chinese hackers conducted a spear-phishing campaign against employees of three major U.S. utility companies

July 2019

35

Inadvertent exposureThere are other unintentional methods of data exposure that can result in a significant data security breach event for cities. Inadvertent exposures can occur through loss of paperwork, sending data to the incorrect recipient, and loss of encrypted or un-encrypted devices.

36

WHAT TO DO WHEN A CYBER INCIDENT HAPPENS

• Investigation• Containment• Remediation• Notification

TYPICAL PHASES OF RESPONSE TO A CYBER-ATTACK

37

• Clear instruction about what qualifies

• Who and how to notify

• Timing for notifications

• Notify cyber insurance provider

DETECT THAT A CYBER-ATTACK HAS OCCURRED

www.bwslaw.com 38

Classify the incidentOnce an incident has been detected, classify the incident. Examples include critical, significant, or minor.

Determine ahead of time what is critical, significant, or minor for your organization

39

Investigate Contain

www.bwslaw.com 40

Triage and set objectivesConsider what is most important for your entity—is it resuming service as quickly as possible? Is it protecting

confidential information? Is it confirming the integrity of data where the integrity of data is critical for the

entity? This likely will differ with what data, applications, and/or operations are affected

www.bwslaw.com 41

RemediationThe goal is to restore the organization to its normal functioning. When a ransomware attack occurs, the best

method of restoration, if you have implemented best practices and have backups, is to restore your system to

normal functioning from your backups. Alternatively, it might be paying a ransom to get your files back, which

we note is not endorsed by the FBI.

www.bwslaw.com 42

NotificationRely on legal counsel’s advice as to whether a data breach has occurred under applicable law. If it has, then

you will likely need to notify affected individuals, and you may have to notify states attorneys general, credit

agencies, or other entities as specified by the applicable law.

www.bwslaw.com

Cybersecurity Best Practices

• Be skeptical of last minute changes in wiring instructions or recipient account information.

• Verify any changes and information via the contact on file—do not contact the vendor through the number provided in the email.

• Ensure the URL in emails is associated with the business it claims to be from.

• Be alert to hyperlinks that may contain misspellings of the actual domain name.

• Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it is coming from.

www.bwslaw.com


There are general best practices for cybersecurity outlined by the FBI. They include the following:• Regularly back up data and verify its

integrity. Ensure backups are not connected to the computers and networks they are backing up. For example, physically store them offline. Backups are critical in ransomware; if you are infected, backups may be the best way to recover your critical data.

www.bwslaw.com


• Focus on awareness and training. Since end users are targeted, employees should be made aware of the threat of ransomware and how it is delivered, and trained on information security principles and techniques.

• Patch the operating system, software, and firmware on devices. All endpoints should be patched as vulnerabilities are discovered. This can be made easier through a centralized patch management system.

www.bwslaw.com


• Ensure anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted.

• Implement the least privilege for file, directory, and network share permissions. If a user only needs to read specific files, they should not have write-access to those files, directories, or shares. Configure access controls with least privilege in mind.

• Disable macro scripts from Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office Suite applications.

www.bwslaw.com


• Implement software restriction policies or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular internet browsers, and compression/decompression programs.

• Employ best practices for use of Remote Desktop Protocol (“RDP”), including auditing your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts.

www.bwslaw.com


• Implement application “whitelisting.” Only allow systems to execute programs known and permitted by security policy.

• Use virtualized environments to execute operating system environments or specific programs.

• Categorize data based on organizational value, and implement physical and logical separation of networks and data for different organizational units. For example, sensitive research or business data should not reside on the same server and network segment as an organization’s email environment.

www.bwslaw.com


• Require user interaction for end-user applications communicating with websites uncategorized by the network proxy or firewall. For example, require users to type information or enter a password when their system communicates with a website uncategorized by the proxy or firewall

www.bwslaw.com 50

specific recommendations by the FBI to take for protection against Business Email Compromise attacks

Educate employees

Multifactor Authentication

Confirm URL associated

with correct business

Check domain name

01 02 03 04

www.bwslaw.com 51

There are also some specific recommendations by the FBI to take for protection against Business Email Compromise attacks

Do not supply login

credentials

Monitor accounts

Patch software systems

Verify email address (esp

mobile)

Ensure the settings the employees’

computer are enabled to

allow full email extensions to

be viewed.

05 06 07 08

CYBERWARS: ATTACKS AND COUNTERATTACKS (I.E., RESPONSE AND PREVENTION)

52

Presented by Nora E. WetzelLeague of California CitiesOctober 16, 2020

4t-10-2020 virtual ppt; wetzel cyberware and ranso

Documents