Image of The Good, The Bad & The Ugly in CyberSecurity

The Good, the Bad and the Ugly in Cybersecurity – Week 44

Image of The Good, The Bad & The Ugly in CyberSecurity

The Good

The benefits of the DDW (Deep Dark Web) are beginning to shine through. Whether it is a site like SecureDrop (aka DeadDrop) that allows people to anonymously share information with journalists or someone in Iran sharing on Tor’s own website how grateful they are to be able to get news “from the West” with less fear of being persecuted, these rays of light from the DDW are always welcome. So it was great to see that this week, BBC News decided to host news web servers on the DDW.  These are only accessible via Tor so that a user can’t accidentally visit a site without the anonymization protection. Even better, the BBC are hosting translated, regionally-targeted sites in Arabic, Persian, Vietnamese and Russian languages to help people in those censored regions access unfiltered content from the West.

image of tor the onion router

The Bad

Although authorities at the Kudankulam Nuclear Power Plant (KKNPP) in India denied reports on Monday that the power plant had been compromised by malware, there is little doubt amongst the security community that bridging an air gap is entirely feasible. Myriad ways and means have been developed that allow jumping air gaps via thumb drives, compromised laptops, or standing up stealthy ad-hoc sneaky wireless networks. See AirHopper, COTTONMOUTH, or USBee as examples.

Citizens in India are demanding an explanation, but instead were treated to bland denial by the KKNPP.

“…the plant and other Indian nuclear power plants control systems stand alone and are not connected to outside cyber network and Internet. Hence, any cyberattack on Nuclear Power Plant Control System [is] not possible. Moreover, all the systems had been loaded with home-grown firewalls to check the hackers’ attempts, if any.”

I don’t know about you, but “air-gapped” and “home-grown firewalls” rarely belong in the same description of mission-critical infrastructure.

On Wednesday, plant authorities confirmed the compromise, while still asserting that mission critical networks were not compromised. This author has learned from decades supporting critical operational environments in the context of military operations that the phrase “isolated” often does not actually infer an air-gap, but rather some combination of a set of firewalls, data guards, and/or data diodes that logically separate, rather than physically separate, networks. A physically isolated mission critical network would indeed be the norm for an operational Nuclear facility. So then, what about these “home-grown firewalls” mentioned earlier in the week? 

image of Indian Nuclear Power Plant
Image Credit: Kudankulam Nuclear Power Plant (KKNPP)/Wikimedia Commons

The Ugly

Ransomware victims are paying upwards of over $1m USD, and the trend is just getting worse. In a twist, some of the campaigns have been first targeting the company’s insurance documentation prior to holding their data for ransom. Patrick Cannon, head of enterprise risk claims at Tokio Marine Kiln Group Ltd, said he had heard of one incident where:

“…the insured said they couldn’t afford the ransom, so the attacker produced a copy of the insurance policy and said that, actually, their cyber insurance would cover it”

image of ryuk ransomware

A report by Beazley shows a 37% rise in ransomware this quarter compared to last, and significant focus on IT Organizations and MSSP’s being hit. This uptick could be related to the recent re-emergence of Emotet-driven campaigns, or it could also be the result of last spring’s Fin 9 and related MSSP-targeted campaigns by Gift-Carding operations having been discovered and “burned”: why not make additional profit on your way out of the MSSPs by targeting both the MSSP and their customers with ransomware? It seems that, for the unprotected at least, the dilemma posed by ransomware is not going away any time soon!