The Malware Pandemic
In the information technology world, Log4j could become the equivalent of a particularly virulent Covid variant—and for businesses, a potentially bigger danger.
Log4j is an open-source, Java-based utility that logs error messages in software applications. In early December, a cybersecurity staffer with the Alibaba Cloud service in China discovered a vulnerability—a flaw—in Log4j that could open millions of businesses and other organizations to cyberattacks. A second flaw was found shortly afterward.
Compared to a data breach releasing sensitive information of millions of retail customers, the dangers of Log4j’s flaws are harder for non-IT people to understand. But as a cybersecurity threat, Log4j could become a disaster of pandemic proportions. That’s because innumerable organizations have the utility in their IT networks—and many don’t even know it’s there. Log4j could allow cybercrooks worldwide to steal data, encrypt servers, shut down factory floors, deceive companies into wiring them money, and demand thousands, even millions, of dollars in ransom.
Businesses are growing more aware of the need to protect their IT networks from cyberattacks. So are governments. In May, the Minnesota Legislature established a Commission on Cybersecurity to examine and possibly update the state’s cybersecurity policies. But threat actors have grown more sophisticated, refining their tactics as new defenses appear.
It’s also becoming clear that just about any business can be a target. Companies are far from helpless, but they do need to be even more vigilant—and to better understand the enemy.
Ransomware activity skyrockets
Stealing company and customer data remains a huge business among threat actors, but the real boom in cybercrime is ransomware. The U.S. Treasury Department’s Financial Crimes Enforcement Network saw $590 million in reported ransomware activity in the first six months of 2021, compared to $416 million for all of 2020. And according to a November 2021 ransomware survey from U.K.-based cybersecurity firm Mimecast, the U.S. victims surveyed paid an average ransom of $6.3 million.
“Cyberwarfare has definitely expanded to incorporate the business market. It’s being leveraged against almost every industry,” says Sean Curran, senior partner, cybersecurity for Chicago-based digital consultancy West Monroe, which has an office in the Twin Cities. Bad actors have expanded beyond “hard targets” such as financial services, governments, and utilities to attack complex global supply chains, which can be as simple as hitting some small companies, Curran notes.
Ransomware has typically infected a company’s network when a hacker steals an employee’s login credentials through a phishing email or a similar con. “The second most popular vector for ransomware—some would argue the most popular now—is direct exploitation of a server, firewall, or other network component,” says Allan Alford, CTO and CISO at St. Louis Park-based TrustMAPP, which produces cybersecurity performance management tools for chief information security officers. “If there’s a known vulnerability that lets you attack from the outside and lets you get straight in with administrative privileges, you don’t need anybody’s credentials.”
What makes these breaches particularly pernicious is that the malware that infects a company’s IT systems will remain there, biding its time, as it were. “Eighty percent of the companies that get hit with a ransom attack get hit with a second one,” says Joe Kingland, CEO of St. Paul-based cybersecurity firm Blue Team Alpha. “The ransomware isn’t getting removed properly. Or else the companies aren’t shoring up their defenses after an attack. They figure they paid the ransom, so it’s back to business as usual.”
Kingland notes that on a surface level, ransomware isn’t particularly difficult to remove. But it can be wickedly hard to remove thoroughly. “A ransomware gang may have five or six ways into a company,” he says. “They’ll get in one way, then they’ll open up another door for themselves over here, and they’ll open up a window over there.” The company’s IT team or services vendor may not find all of those different ways in.
This means that gangs don’t need to reinvent their basic approach. “They’re having a field day and cashing in,” Kingland says. There’s even what cyber experts call “ransomware as a service” (RaaS), where malware developers offer their code to other cybercrooks for a cut of the ransom or other ill-gotten gains. In September, the U.S. Cybersecurity and Infrastructure Security Agency sent out an alert about a RaaS entity called Conti, whose handiwork allows its “affiliates” to wreak mayhem on IT systems without having to develop their own ransomware.
Here’s a bit of good news on the cyber front: Organizations seem to be more vigilant about phishing. “It’s still certainly a big problem—we still see all those phishing emails,” Curran says. “But generally speaking, the awareness is much better than it used to be. In the past, click rates were in the 30 percent range. Now they’re down in the 10 percent range.”
One likely reason for that decline is the growing use of multifactor authentication, which requires an employee to provide two forms of digital ID to access an organization’s servers, not just the standard username/password combination. One-time passwords and numerical codes sent to the employee’s smartphone or email are common secondary authenticators; many organizations have instituted security tokens or biometric identification. Though multifactor authentication methods aren’t perfect, they eliminate “nearly all phishing problems,” notes Nate Austin, co-founder and vice president of business development at New Brighton-based technology services provider Mytech Partners.
But here’s the bad news: Phishing is by no means the only way threat actors are getting into business networks.
Lurking in the shadows
Every software program inevitably and unavoidably has vulnerabilities. Over time, most bugs get fixed. But as in the case of Log4j, a tiny flaw in a widely used software component can explode throughout networks worldwide.
A flaw could be something that isn’t visible, notes Aaron Shilts, CEO of Minneapolis-based cybersecurity firm NetSPI, which specializes in network penetration testing and “attack surface management” for its business clients. More than 50 percent of NetSPI’s work involves testing applications—which Shilts terms “the lifeblood of any enterprise” —for vulnerabilities.
Read more from this issue
“Modern enterprises are built on many layers of technology—different modules and pieces of software to handle their customer relationships, to deliver their services,” says Shilts. “Just because you understand that you have a piece of software doesn’t mean you understand all of the components of that software.” Log4j, for instance, “lives in all kinds of software: Twitter, iCloud, you name it. It is ubiquitous.”
Cybersecurity has become even more complicated by the hybrid work environment of the pandemic period. “Communication between the home base of the company and the people in the field is a little more tenuous now,” TrustMAPP’s Alford notes. “And there are lots of ways [for threat actors] to get in and exploit that.” That’s especially true in larger organizations. For instance, “if you’re working from home and some guy calls and says he’s from IT in your company, you’re probably going to believe him. And if he says, ‘Go here and click on this,’ you’re probably going to go there and click on it.”
That’s why Alford says that identity and access management has become one of the most important things his company does. Identity and access management tools make sure the person logging in really is that person. These tools also can manage and track an identity through an ecosystem of many disparate IT systems. Another strategy Alford and other cyber experts recommend is vulnerability management, a family of tools that scan one’s entire environment for flaws that require patching.
Patching or fixing flaws is essential. It’s also becoming harder to do. There are plenty of vulnerabilities in applications built on Linux or third-party developers such as Apache, the software development community under whose auspices Log4j was written. And “the ability to identify and exploit [vulnerabilities] is just so much quicker than it was years ago,” says West Monroe’s Curran. IT people talk about “zero-day” vulnerabilities—newly discovered flaws so susceptible to cyberthreats that software developers and vendors have, so to speak, “zero days” to develop a patch.
But patching isn’t always enough. As Curran notes, many organizations believe that if they’ve “caught” a threat through their antivirus software and patched the flaw, “the threat actor lost their access.” In reality, he says, it’s already too late.
Last March, malware attackers exploited flaws in Microsoft Exchange, which affected an estimated 250,000 users of the email platform. Organizations applied the supplied patch, only to discover later that the malware was still there. Six months after the reported attack, “we saw a massive deployment of ransomware associated with that original breach,” Curran says. Smaller businesses and local governments were among the attack’s primary victims.
Defenses in the cyberwar
How can businesses defend themselves? Antivirus software and firewalls are useful and necessary, but they’re not sufficient.
Mark Abbott, chief legal officer at Minneapolis-based technology services firm Atomic Data, notes that vendors have introduced automated systems intended to detect threats that are a little unusual and don’t demonstrate well-known patterns of bad behavior.
Endpoint detection and response (EDR), for instance, tracks suspicious activity across multiple endpoints—the computers and other devices connected to the network. There’s also vulnerability scanning, which “integrates with your patch management and becomes a complement to it,” Abbott says. “This helps you start to see things in the environment that you wouldn’t normally consider a ‘check box’ but might still be security risks.”
Another set of defense weapons, called managed detection and response (MDR), combines automated monitoring and response with human expertise. “A lot of the toughest vulnerabilities can’t be found with software, automation, and scanning,” says NetSPI’s Shilts, whose company’s penetration testing offers a similar combination of automation and manual deep dives.
These defenses can be extremely useful. But security measures aren’t set-it-and-forget-it. “Hackers know that firewalls, switches, even some server firmware rarely get updated unless there’s a problem,” Mytech’s Austin says. Threat actors can attack an organization through these vulnerable locations “unless you and your IT team keep them secure. But these devices are some of the last things people protect, because the updates are often manual, they can potentially cause service disruption, and they are easy to overlook.”
Cloud computing, even with all of its advantages, isn’t a cybersecurity panacea. While the cloud has boosted organizations’ ability to manage their remote workforces, it also has widened the “attack surface” for cybercrooks to exploit. That noted, cloud providers can be a stalwart cybersecurity ally.
“Microsoft spends so much [more] money on security and protecting its [cloud] infrastructure than small businesses could ever spend collectively on their local servers,” Austin says. Microsoft’s security capabilities include data loss prevention, which allows companies to prevent sensitive data from leaving their IT environment. But as Austin notes, these capabilities won’t work if companies don’t activate them.
Cyber experts uniformly recommend ongoing security awareness training for all employees so that they always keep best practices top of mind. Phishing attacks may be somewhat less successful than they used to be, but they are still succeeding, and phishers have become more artful in crafting their lures.
With a company’s well-being and even survival at risk, “cyber should be a board-level topic,” Shilts says, “because there’s a lot at stake.” Larger organizations should consider hiring a CISO; smaller businesses should have an outside IT consultant with proven cybersecurity expertise. And organizations of all sizes should regularly test their systems for potential vulnerabilities.
Like most cybersecurity experts, Shilts also recommends that companies understand their environment, whether on premises or in the cloud. “It sounds easy,” he says. “But it’s one of the hardest things.” Even if the Log4j flaw proves less destructive than originally feared, businesses will constantly need to shore up and fortify their complex and essential IT realms.
Minnesota Legislators Tackle the Cybersecurity Threat
The small Minnesota town of Lewiston (pop. 1,800) was hit with a malware attack last summer that locked city workers out of its IT network. Lewiston, located in southeastern Minnesota near Winona, paid a ransom of $60,000. Then the attackers demanded $120,000 more to release network data.
Lewiston rebuilt its system using backup files and avoided shelling out more ransom money. But the attack demonstrates that businesses are by no means the only organizations vulnerable to cyberattacks.
In 2021, the Minnesota Legislature established a Commission on Cybersecurity, which began meeting in November. Sen. Mark Koran, R-North Branch, who chairs the eight-member commission, says the Legislature recognizes “the importance of cybersecurity in every aspect of our lives,” including state and local government.
The state is not particularly vulnerable, at least comparatively. In 2020, the Internet Association, an IT trade organization, ranked Minnesota tops among all states for cybersecurity. But as Koran notes, “the number and severity of threats have been increasing.” One of the goals of the commission, he adds, is “to have a vehicle where the Legislature is deeply involved and fully informed so that it understands the threats, not just to all government in Minnesota, but also to our private industries.”
As the Lewiston cyberattack shows, even small units of government are vulnerable. According to Koran, fewer than 10 of Minnesota’s 87 counties have more than one staffer dedicated to IT. This puts both government and the citizenry at risk, Koran says: “Counties really deliver the vast majority of government services.”
Because the Legislative Commission on Cybersecurity is just establishing its structure, it’s too early to project how its work will play out. Koran says he doesn’t expect massive bills to come out of the commission.
Instead, he says, it will focus on sharing cybersecurity information and best practices across all levels of government. Koran also wants to ensure that state and local governments have the financial and technical resources to establish and implement cybersecurity policies, including effective recovery capabilities should an attack reach its target.
As city leaders in Lewiston discovered, a successful attack can happen in any town. —Gene Rebeck