Episode 17: A Hack Is Imminent
I was made aware of a cybercriminal that has access to the network and computers of at least two businesses in the same industry as one of my clients. Some of the details were eerily similar but not all of the information matched.
Not that it matters because we have taken extraordinary measures (they really should be standard operating procedures) to prevent this type of access. The access is through a Managed Service Provider like the one I own (Nwaj Tech). It is through one of the RMM tools that this particular MSP uses.
How could this have happened? What can be done differently? Who is involved?
All of these questions and more are answered in this episode!
People are the weakest link in any cybersecurity plan. We’re distracted, exhausted and often unmotivated. It’s time to change the approach used to protect our businesses, technology, identity and data, the human element has to be front and center in a war against data breaches and ransomware attacks, it’s time to educate.
saw a post on Facebook where a woman, it was a local Facebook group from my area. And the woman said that she had only gone to two places. In that day, it was, I think, a Wendy’s and ATM. And she was concerned because somebody had made fraudulent charges on her card. And she assumed that it was either Wendy’s or the ATM where the card information was stolen. So I advised this woman in the Facebook group, it’s so public to everybody in the Facebook group, that it didn’t necessarily happen that day that somebody could have stolen those debit card credit card number, weeks or months ago, and just held on to it and eventually sold it. And this is what happens on the dark web credit card numbers are stolen and sold on the dark web all the time. And so there when this happens, the card stolen card may not get used for sometimes months. In fact, this happened to me. Probably 1210 12 years ago, I used to have a city bank account. I got a phone call on a Monday morning, asking if I was in France over the weekend because there were all these fraudulent charges on my bank account in France for hundreds, few $100 at a time. 300 700 not huge charges but big enough to get the bank’s interest. And of course, I wasn’t in France, I was at work on a Monday morning, didn’t go to France that weekend. And those charges were fraudulent. And fortunately for me, Citibank reversed it took them about five days, but they did reverse it. But it just goes to show you that cyber criminals are patient, they will take their time, and they will eventually attack and or do what they need to do to make money. Welcome to the human element podcast, visit our website at the human element dotnet for more content to help you strengthen your awareness of the people problem in cybersecurity. I am Scott Gombar. Owner and Washtech a client focused, security minded proactive IT service provider. Hi, and welcome to episode 17. I’m sort of keeping my promise in recording almost a week after the last episode. I think it is actually a week after the last episode. So here we are. And today’s episode I’m going to talk we’re going to be somewhat vague when it comes to company names and things like that. Because I don’t know that this is public information yet. But I did learn from a client about a company that has been breached, but they are not aware yet. It’s actually two companies that have been breached. And it sounds like it might be through the same managed service provider. So a managed service provider if you don’t know. My I own a managed service provider called unwashed tech. And what that means is we take care of all the IT needs and supposed to be including cybersecurity. For businesses, clearly this managed service provider is not doing their job. Now, I’m going to be vague because I don’t know that it’s public information yet. It was shared with me from one of my clients who happens to be in the same industry. And so what they’ve discovered is that a on a hacker form a somebody and you know, I don’t know if the person is a hacker or if it’s an employee or or who they are. But somebody has access through the man or service providers remote management tools to two different companies, at least two different companies maybe more I don’t know, and is offering to sell that that information. So this the purpose of this podcast today is really twofold. One is going to discuss how could this person have access to this to these two companies, smaller businesses in a few 100 employees. Which again points to what I always say that doesn’t matter how big your businesses because they the cybercriminals don’t care if they can make money, they’re going to make money and or make a name for themselves. They’re going to do what they want to do to make that happen. And it doesn’t matter how big or small you are, if you have PII, or even more important pH i. And I’ll define those in a moment, then you consider high value pH i is extremely valuable on the dark web. So PII is personally identifiable information. And those are things like credit card numbers, social security numbers, home address, email address, first and last name, things like that. Information that can identify who you are. And a lot of information is already on the internet. So some of it is not a secret. So your home address more than likely is on internet. A good chance we could find your email address and phone number on the internet. But they can dig deeper and find more personal, personally identifiable information. pH i is protected health information. And this is the stuff that your doctors, your hospitals, and your dentists and all those practices that work with insurance are supposed to protect. And when that gets out to the dark web that has a high dollar amount attached to it. That’s one of the best selling items on the dark web. And aren’t you know, maybe in a future podcast, we’ll talk more about the dark web. It’s an interesting place, definitely some illegal activity, some interesting things on there. But it’s considered the black market of the internet. So what happens is, someone recognizes that they can get access to a business with say, 1000s of detailed records of pay of clients in this case is not healthcare. So it’s not, not PHSP I, so, potentially 1000s, most likely 1000s or 10s, of 1000s, of personally identifiable information records. So I go to this type of business. And they potentially run credit report on me, or get some tax information from you or something along as it is in the financial world. And which also, by the way, means that they will be subject to the FTC safeguard rules that are supposed to kick in on June 9. If you’re not familiar with the FTC safeguard rules, when you’re in a business that has anything to do with the financial information of a potential client, then you might want to look it up. If you just search FTC safeguard rules, you’ll see lots of information, go to the FTC website, I will have a blog post on the NUAGE. Tech website in the very near future, but it kicks in on June 9. And so the information that is available from this, this business, these businesses is that type of information. And so you think we’re thinking credit card numbers, social security numbers, tax returns, credit reports, things like that. All right. So someone is selling us information on the internet on the dark web. And they were approached by people in the industry, sort of as a spy, I guess you could say. And that was to try to figure out what they had and who they’re who they’re trying to what they’re trying to do with it. And it was determined that it was two businesses, two businesses were mentioned, but they were not mentioned by name. So they’re still not clear as to what businesses they are. But they do have enough information that they might be able to figure out who the businesses are. Now, what information was given was that the seller on this dark web form had access through a managed service provider. So the minutes most managed service providers, although I’m seeing more and more that don’t, for some reason, I don’t get it. But most major service providers provide remote support in the form of a helpdesk where they can remote into a client’s computer and, you know, do software updates or provide technical support, things like that. And so they they have access to this managed service providers, tools that allow them to access their clients computers. Now, who who could this be this could be somebody who figured out the passwords to access these tools. And this has happened quite a bit. We’ve seen it happen with Twitter, we’ve seen it happen with other managed service providers. We’ve seen it happen with organizations where they get in with a weak password. This happened with SolarWinds a few years ago that was a big supply chain attack in this so this is similar in that nature. So they either figured it out You’re weak passwords or through phishing, very simple phishing email sent saying, hey, we need you to update your password on your remote support tool, and again, I’m leaving the name of the tool out of it because I don’t, I’m trying to be as vague as I can about the details. But this is real. And when it does come to light, I will be sure to share it with the whole world, I just don’t know that it’s public information yet. And so they, they could have fished them and said, reset your password here and took them to a website that looked a lot like the real website, but wasn’t it. So this is phishing, and using an email and using a phishing website, so that’s called hybrid phishing, and therefore has a much higher success rate.
Could have been a phone call from the company. And I’m using air quotes here saying, You need to reset your password. And I’ll send you a link right now to do that. And then that improves the success rate even more. It could also be an insider threat. So that would be an employee or an ex employee who maintained access after they were let go. And I see this quite a bit where the employees let go, but nobody removes their access to anything. So that is another possibility could be a current employee who’s just trying to make a few dollars. And says here, here’s access, you don’t care about their job, because they will probably get caught. But here’s access to these businesses through a remote support tool. So all of these things are possible. And it’s possible that this person has been trying to sell this for quite some time or has successfully sold other accesses to other companies. In the past. We’ve seen this story played out, we’ve seen it in Texas, where a major service provider was compromised. And I think it was 22 municipalities were impacted by it. We’ve seen it where we saw the SolarWinds story a couple of years ago, it’s been I think it’s been two or three years now, maybe longer. Where somebody figured out the FTP, I believe it was they figured out the FTP password to a management server and got in and, and mess with the source code for SolarWinds. And that’s what so that’s what made it a supply chain attack. So this is not necessarily this current situation is not necessarily a supply chain attack. However, they’ve got access. And so access is sold on the dark web. And it happens a lot. So you often we hear the term hacker and I don’t like that word. But hacker in for this purpose is usually thought of as someone who cracks code or finds a vulnerability and compromises it. But a lot of times the access is given through an initial access broker to call in. So that’s somebody who has access to your network from outside of the company and is going to sell it now that again, it could be through a managed service provider, it could be an employee that wants to do damage for whatever reason, it could be a phishing attack that compromise a password. You know, there’s any number of ways that could get in, but somebody gained access. And now they don’t want to do it anymore. They don’t want to continue with the cyber attack. And so now they’re selling it. And there’s there’s a big market for that. And there are actually companies, and again, I’m using air quotes, I’m using that term loosely, we will call them ransomware gangs because that’s what they are, where they have hired initial access brokers they’ve hired script kiddies in a lot of cases, but people that will crack code or crack passwords. They’ve hired people to do phishing attacks, they’ve hired people to launch ransomware attacks, there’s ransomware, as a service is available out there. And a lot of it’s very affordable. So they do all of this. And then they say, okay, you’ve been hit with a ransomware we stolen all your data, we’re gonna sell everything, or you could give us $10 million, just throwing numbers out there. All right. So now you know how they got in now you know what they’re up to. And now, you know, that they could have potentially and I don’t know, in this instance, how long they’ve had access, but they could have potentially had access for months. And there have been cases where people have been have access to network for years. So now you’re thinking, Alright, this is a managed service provider. They’re supposed to provide cybersecurity. How does this happen? And it is a problem in the industry. They’re, they’re creating a bad name for managed service providers. But unfortunately, as a managed service provider, we also have a huge target painted on our back. So yes, people come for us all the time. The bad guys, the cyber attackers, the cyber criminals, come for us all the time. And so there are things that can that we can do. And a lot of it is what we already tell our clients to do. So there’s the training, you know, how to recognize phishing emails, how to prevent phishing emails, what to do? With an email that we’re not sure if it’s phishing or not, all of that is education. And this is what, you know, this is why we consider education a huge part of what we do. And it’s extremely important that we do it so that our clients are better prepared, but also so that we’re better prepared, we see the threats that are that are out there. And we address them as needed. So if I get a phishing email, or I’ve gotten two phishing texts in the last day in the last 24 hours, plus I got on LinkedIn, someone who was shot trying to get me into a pig butchering scam, so we’ve talked about pig butchering a few, a few times, so they messaged me on LinkedIn and pretended to be someone and then took the conversation on WhatsApp. And I’m currently in WhatsApp talking with this person, because I want to show the world how far it goes. I’ve done this once before, strung it out for about two weeks and then shared it, it’s on our YouTube channel and watch tech. Alright, so they did got in through the managed service provider, so what can the managed service provider do? So first of all, there should have been, they should be following their own best practices, that they’re probably telling their clients to practice. They should lock down their remote access tools. So what do I mean by that? In my company, all the remote access tools, anything that can remote into a client’s computer is locked down to only two IP addresses. So there’s only two IP addresses that you can be on and remotely access our clients computers. There is a secondary form of authentication anytime somebody tries to remote in so I, or one of the techs that remote in has to approve the login from a secondary token. And again, I’m being somewhat vague on purpose. And then there is also a log, so I receive me personally receives an email every time a remote session has started. And this way, I can verify that that remote session is legitimate. So I can see what the IP address is, who they’re accessing, and all of all of the details I need to see in order to determine that that is a legitimate remote access session, on top of locking it down to two IP addresses. So this is me being paranoid, a lot of people think I am paranoid, and I have to agree when it comes to these things I am, I don’t want to be the reason a client is compromised. So I review those emails, as soon as they come in and make sure it’s legit, unless I know it’s me, then I’m not going to, I’m probably not going to put as much priority on it. But if, if I know it’s not me, and one of my my helpdesk people, I’m going to confirm that it is legitimate, that is coming from the right IP address that they’re accessing a computer for legitimate reason, I’m going to try to match it with a ticket, all of those things. So that’s a that’s something else we’re doing, you should be reviewing the logs, even if you don’t, even if you do get the emails, you should be reviewing the remote access logs, you should have a log file of all the remote access service provided. And if you don’t, then either you don’t know what you’re doing, or you’re using their own tools. As a managed service provider, or even internal it is the same thing. And actually, I would, I would venture to say that an IT department within an enterprise business might be easier to compromise, in some ways, a little more relaxed, because it’s all one business. The problem that I see is that people get into the business managed service provider. IT support a lot of businesses don’t even know they’re providing managed services. They just call themselves tech support, which is fine. It’s you know, sort of is tech support. But it’s also cybersecurity. So a lot of people get into the business thinking, Okay, I’m going to take my business to the next level. And I’m going to provide these types of services. And they don’t understand the risks that are involved or they don’t understand the cybersecurity cybersecurity piece of the business. I’ve seen it time and time again, I have been told of IT providers that said, Write all your passwords down in a notebook that’s safer, or don’t turn on minute multifactor authentication is not necessary. And that was that a health care covered entity. And they did get compromised. Just stuff that makes no sense. You know, you don’t need a password on your computer. You don’t need to encrypt your mobile devices or your laptops. All of the things that make no sense if you’re a cyber Security Professional. So I believe in order to be a managed service provider, you also have to be a cybersecurity professional. And we teach all the time about cybersecurity. And we practice what we teach. Zero trust is huge, huge, huge player in this game, if you have zero trust, and for some reason, your your computers are compromised, they still can’t run a script without an approval process. So somebody’s not even in the business, unless it again is internal IT
somebody has to approve that script or that application to run. And if I don’t recognize that request, I don’t know what it is, I do some research still can’t figure out it’s not getting approved, it’s going to sit and wait. And I’m going to wait for a phone call from the person who asked for the access to see if they legitimately need access to it. That’s, that’s part of our process. Having passwords on all of the end user computers is huge. And with the screen timeout, so if it’s two o’clock in the morning, and somebody’s trying to access these computers, and they don’t know the password, they’re not going to get in, this is not going to be able to to do anything, or removing admin access for all of the users. These are all these are all processes we have in place, by the way, removing admin access for the user. So even if they do know the user’s password, or for some reason the user computer is unlocked, or doesn’t have a password, no one slips by every now and again. They don’t have access to be able to run anything anyway, even with zero trust. So zero trust is going to ask them if they want to elevate the request. And then at which point, I’m going to get an approval request. And also, do they want to run the application? Or do they need your approval for the application, I should say, and I’m going to get these, these notifications. And guess what, at two o’clock in the morning, I’m not reading my emails for these requests, or I also get a push notification. I’m not checking those at two o’clock in the morning, because none of my clients are working at two o’clock in the morning. In the event that we did have a client that worked at that time, we would address that as needed and would be a different process, we would fine tune the process to make sure that they were not compromised. These are all things that could be done to prevent this type of activity. And as a managed service provider, if it’s not happening, you’re setting yourself up for failure, and you’re setting your clients up for failure. It’s happened time and time again. And as a managed service provider, or an MSSP, because supposedly the business that that is compromised is an MSSP, which is a managed security service provider, meaning they’re supposed to have a higher level of security standards over an MSP some MSPs partner with mssps to make sure that they’re secure. So this particular business has remote access into several businesses, with employees in the hundreds. And those that accesses being sold on the dark web. Now could take that with a grain of salt, of course it could the person could just be lying could just be trying to create a name for themselves. Who knows. But the potential is that it’s an insider threat and a current or ex employee that that maintained access. Or somebody that successfully fished somebody on the inside at the managed service provider at that managed security service provider. And then was able to get in through through a fish a successful fish. More likely a hybrid fish. So I would say probably phone call followed by an email, and then followed by a phishing website. And I’m so I’ll share some of the text phishing messages, also known as smishing. And then The Washtech Instagram page and Facebook page today, as I’m recording this, so it’s March 20. as I record this, I don’t know if it’ll get uploaded today, but certainly try. Or you maybe there was some type of supply chain attack? I don’t think so. But there are many steps that could have been taken to prevent this by the managed service security provider managed security service provider, I don’t know which which S comes first steps that should have been taken that weren’t. And so it is paramount for those in the tech world to understand the threats and prevent the threats. And if you’re not you’re failing as a managed service provider, and you’re failing your clients, which is even more important. So hopefully I’ve explained the the who the why and the what and the how, and hopefully it prevents the next one from happening. And when it does come too late. Hopefully he never does but when it does, I’m sure that the information is already been shared with the FBI. So hopefully the FBI can figure out who it is and go from there. Well, when it when it becomes public, I’m going to say I told you so. So until next time, stay secure.
Transcribed by https://otter.ai