The Good, the Bad and the Ugly in Cybersecurity – Week 44

The Good | Global Alliance Looks to Curb Illicit Crypto Funds

This week Washington DC played host to the third annual International Counter-Ransomware Initiative summit, and delegates from 40 countries are pledging their support to prevent the payment of ransom demands to cybercriminals.

The news comes on the back of record numbers of ransomware attacks in September, with 514 incidents worldwide. Every month of 2023 has so far seen an increase in attacks compared to the same month last year, with the U.S. bearing the brunt of the surge, accounting for half of all ransomware incidents globally. New actors such as LostTrust and RansomedVC have significantly contributed to the 153% year-on-year increase.

In response, a U.S-led global initiative will seek to block cybercriminals from being paid and to seize illicit funds. Countries will share information on crypto wallets being used for ransomware payments and AI will be deployed to analyze blockchain transactions to identify criminal proceeds. Information will be shared across partner countries on two information sharing platforms, one set up by Lithuania and another jointly by Israel and the UAE.

Deputy National Security Adviser Anne Neuberger said that the problem of ransomware will only continue to grow until governments take action to stop the flow of money. Ransomware gangs work across national borders and the widespread use of cryptocurrency has fuelled the explosion in cybercrime. The most effective way to address the problem is to remove the ability for criminals to receive funds.

The Bad | SolarWinds Allegedly Defrauded Investors

Bad news for investors of Texas-based software outfit SolarWinds and its CISO, Timothy G. Brown, as concerning news broke this week that the SEC is charging both for fraud and internal control failures relating to cybersecurity vulnerabilities and risks.

SolarWinds was, of course, a primary target in the massive 2020 SUNBURST supply chain attack. The SEC alleges that for at least two years prior to that, SolarWinds knew of specific vulnerabilities and risks that were inconsistent with its public statements to investors. According to the complaint, SolarWinds knew that its remote access set-up was insecure and that an internal report said a threat actor could “do whatever without us detecting it until it’s too late”. Presentations by Brown in 2018 and 2019 stated that the company’s “current state of security leaves us in a very vulnerable state”, according to the SEC’s 68 page complaint.

In addition, subsequent to the cyber attack on SolarWinds, Brown allegedly wrote that “our backends are not that resilient”. Other company documents are said to have stated that the “the volume of security issues being identified over the last month” have “outstripped the capacity of Engineering teams to resolve”.

The SEC says that Brown and SolarWinds ignored repeated warnings about cyber risks and failed to address them, instead engaging in “a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”

SolarWinds and Brown both deny the allegations, claiming that the company “maintained appropriate cybersecurity controls prior to SUNBURST and has led the way ever since”.

The Ugly | Vendor Leaks PII of Identity Management Firm’s Employees

There is more troubling news concerning Okta this week as the company revealed that almost 5000 current and former employees had sensitive personal information exposed as a result of a third-party vendor breach.

According to Okta’s data breach notification, a data security incident at Rightway Healthcare, which managed healthcare provision for Okta employees between 2018 and 2020, led to the leak of personal information including names, SSNs and health or medical insurance plan numbers.

Rightway informed Okta last month that an unauthorized actor had gained access to the data likely in September 2023. At the present time, there is believed to be no evidence of the data being used against individuals, but the company has offered 2 years of free credit monitoring and fraud detection services to affected employees.

The breach notification comes in the wake of several cybersecurity incidents for Okta over the last two years. Just last month the company reported that a threat actor had gained access to files uploaded by some Okta customers, with a downstream impact on clients such as 1Password, BeyondTrust and Cloudflare, among others. Last year, hacking gang Lapsus$ gained access to confidential information and source code belonging to the company.

Due to its market position providing identity management services to thousands of organizations, Okta is a hugely attractive target for cybercriminals. In a statement today, the company apologized to its customers and said it is “deeply committed to providing up-to-date information” about cyber security incidents.