<<

Cyberwars: Attacks and Counterattacks (i.e., Response and Prevention) Presented by Nora E. Wetzel League of California Cities October 16, 2020

4 Nora E. Wetzel Nora is a commercial litigation attorney in Burke’s San Francisco office with a focus in data privacy matters. Nora has been designated as a Certified Information Privacy Professional, (CIPP/US) by the International Association of Privacy Professionals (IAPP).

www.bwslaw.com 5 This presentation will identify forms of attack, such as , , , and Introduction business email compromise, as well as inadvertent exposure through loss of paperwork, sending data to the incorrect recipient, and loss of encrypted or un-encrypted devices.

www.bwslaw.com 6 Overview of cyber incidents inthe public sector

Remote Desktop Protocol Email Phishing Campaigns Software Vulnerabilities Vulnerabilities

www.bwslaw.com 7 Other methods of Cyber Attacks

Advanced Persistent Malware 01 04 Threats

Denial of Service (DOS) Password 02 05 Attacks Attacks

Insider Man in the Middle 03 06 Attacks (MITM) Attacks

We Learn From The Best

In 2020, bad actors have made use of the Covid 19 pandemic to deploy cyber-attacks.

www.bwslaw.com 8 Bad actors are sending out spam attacks based on Covid-19

a sextortion scheme threatening to infect the recipient’s family with Covid 19 if the recipient does not pay the amount demanded a fundraising request purporting to be from the World Organizing (WHO) requesting donations in Bitcoin to fund Covid 19 research

messages purportedly coming from WHO but including documents with malware

www.bwslaw.com FBI Warnings

An e-mail from an unknown The recipient is accused of The e-mail or letter threatens The recipient is instructed to party and, many times, will be visiting adult websites, to send a video or other pay the ransom in Bitcoin written in broken English with cheating on a spouse, or being compromising information to grammatical errors involved in other family, friends, coworkers, or compromising situations social network contacts if a ransom is not paid 01 03 05 07

02 04 06

The recipient's personal The e-mail or letter includes a The e-mail or letter provides a information is noted in the e- statement like, "I had a short window to pay, typically mail or letter to add a higher serious and 48 hours degree of intimidation to the infect your computer," or "I scam. For example, the have a recorded video of you" recipient's user name or as an explanation of how the password is provided at the information was allegedly beginning of the e-mail or gathered letter

www.bwslaw.com 10 In 2019, cyber- attacks cost entities $3.5 billion in losses

FBI 2019 Internet Report

11 an increase in BEC attacks to divert payroll funds

• The Bogus Invoice Scheme • CEO Fraud • Account Compromise • Attorney Impersonation • Data Theft

Business Email Compromise A BEC attack begins with a cybercriminal hacking and spoofing emails to impersonate your company's supervisors, CEO, or vendors.

12 • Criminal claiming to provide technical support or service in an effort to defraud unwitting individuals • May pose as support or service Tech Support representatives offering to resolve such issues as a compromised e-mail or bank Fraud account • Recent examples included attackers posing as customer support for travel industry companies, financial institutions, or virtual currency exchanges

www.bwslaw.com “CALIFORNIA WAS THE STATE WITH THE MOST VICTIMS AND HIGHEST LOSSES CAUSED BY CYBER ATTACKS” 8 Types of Cyber Attacks Small to Medium-Sized Businesses Face

14 Ransomware In 2019, 205,280 organizations submitted files that had been hacked in a ransomware attack EXAMPLES OF — a 41 percent increase from the year before CYBER ATTACKS

Cyber Insurance ON CITIES Some businesses and city governments are taking out insurance to be ready for ransomware demands

www.bwslaw.com 15 Hartford, Connecticut Attacked in early September 2020 by ransomware that affected 200 of the city’s servers, including those used by the school system, the police department, and emergency dispatchers. According to the city, it quickly shut down servers and froze its technology systems. It continued to run all the city’s first responder systems, though reopening of its school system was delayed, and the city did not have to pay a ransom to regain access to its servers, though the city did not explain how it was able to avoid doing so.

16 Lafayette, Colorado Suffered a cyber attack in late July 2020, which resulted in disrupting the city’s phone, email, online payment, and reservations systems. Ransomware called “Snatch” infiltrated the city’s computer network through a phishing or brute force attack and started locking down computer files. This type of ransomware typically uses remote desktop protocol, brute force methods, and/or take advantage of an unplugged hole in a computer network. The city paid a $45,000 ransom to unlock its data

17 Florence, Alabama Experienced a ransomware attack in June 2020 that shut down the city’s email system, and the city decided to pay over $250,000 from the city’s insurance fund to recover data encrypted in the attack, though the city was able to negotiate down the ransom demand from the initial amount of $378,000

18 Torrance, CA Attacked in March 2020 when its computer systems were compromised, interrupting the functioning of its email accounts and servers. City documents including city budget financials, various accounting documents, document scans, and an archive of documents belonging to the City Manager were leaked to the dark web. The hackers claiming responsibility, DoppelPaymer operators, stated that they erased the City's local backups and then encrypted approximately 150 servers and 500 workstations. The hackers demanded a 100 bitcoin ($689,147) ransom for a decryptor, to take down files that have been publicly leaked, and to not release more stolen files

19 Durham, North Carolina The City and County of Durham, North Carolina was struck with ransomware Ryuk in March 2020, which was thought to be the same one responsible for the 2019 New Orleans attack noted below. This attack was actually two separate attacks, and though they were detected and contained, they caused most city networks and phones to remain offline during the recovery process, and resulted in 80 servers needing to be rebuilt and 1,000 compromised computers to be reimaged

20 North Miami Beach Police Department North Miami Beach Police Department was hit with a ransomware attack in February 2020 demanding $5 million to get the department’s information back

21 Colonie, New York Suffered a cyber attack in January 2020. Though it could not determine how the ransomware infected its systems, the city had reliable backups that allowed it to continue operation without having to pay the $400,000 bitcoin ransom demanded to retrieve the files the ransomware unlocked

22 Las Vegas, Nevada suffered a cyber-attack on January 7, 2020. The city commented that it was likely bad actors gained access to the city’s network via a malicious email. The city had taken a public position not to pay a ransom back in July, though it is unclear if the attack involved ransomware. The city reportedly caught the attack early and claims that it does not believe any data was lost or taken

23 New Orleans, Louisiana New Orleans fell victim to a in December 2019. It detected suspicious activity on the City’s network, investigated and discovered there was a ransomware attack affecting roughly 4,000 City computers. The city’s IT department ordered all employees to power down computers and disconnect from Wi- Fi. All city servers were also powered down, and employees told to unplug any of their devices. The city had cyber insurance and expected it to cover nearly $1,000,000 in costs the city has incurred since the onset of the attack, though it did not cover the costs of paying a ransom

24 Pensacola, Florida Was hit by a cyberattack in December 2019, affecting city email and landlines, a customer service line, and online bill payments for energy and sanitation. As a result of the incident, staff disconnected computers from the city’s network until the issue could be resolved. Pensacola did not reveal any further information about how the cyberattack first occurred, what type of personal data was breached, or whether the attack stemmed from malware or ransomware

25 San Marcos, California Was targeted in October 2019 by a suspected cyber attacker. San Marcos’s email system used by city employees was affected, leaving employees unable to communicate with some of the public. Employees discovered the problems, and the city manager confirmed the city was victim of a suspected hacking.

26 Baltimore, Maryland Baltimore fell victim to ransomware known as "RobbinHood" -- attacks some experts say involved a tool developed by the National Security Agency. The attack locked the city out of its computer servers for ransom. City systems are reported to be slowly recovering from the attack, which officials said cost Baltimore more than $18 million

27 Atlanta, Georgia Atlanta’s computer networks were targeted in March 2018. The hackers demanded $51,000 in Bitcoins, and held the city hostage for nearly a week, while the city refused to pay. Apparently, some city services used hardcopy paper to continue operations. The city reportedly did not want to reward and encourage more ransomware attacks, and considered there was no guarantee that systems would be restored even if it paid. This stance has hit the city hard—costs associated with the attack are estimated to be as high as $17 million. Now, the U.S. Justice Department reports that two Iranian hackers were behind the attack on Atlanta. The two hackers are thought to have developed the SamSam ransomware which is a type of malicious software.

28 22 Texas Cities 22 Texas Cities’ computer systems were infiltrated by hackers demanding a ransom. A mayor of one of those cities said the attackers asked for $2.5 million to unlock the files. Officials did not identify which specific cities were affected. The Texas Department of Information Resources stated that the evidence pointed to a single threat actor. A representative for the department reported that he was “not aware" of any of the cities having paid the undisclosed ransom sought by hackers, and disclosed that the impacted locales were mostly rural

29 ADDITIONAL ATTACKS AFFECTING GOVERNMENT ENTITIES

August 2020 Hackers for hire suspected of operating on behalf of the Iranian government were found to have been working to gain access to sensitive information held by North American and Israeli entities across a range of sectors, including technology, government, defense, and healthcare

August 2020 An Iranian hacking group was found to be targeting major U.S. companies and government agencies by exploiting recently disclosed vulnerabilities in high- end network equipment to create backdoors for other groups to use

www.bwslaw.com 30 ADDITIONAL ATTACKS AFFECTING GOVERNMENT ENTITIES

February 2020 The U.S. Defense Information Systems Agency announced it had suffered a exposing the personal information of an unspecified number of individuals.

January 2020 The FBI announced that nation state hackers had breached the networks of two U.S. municipalities in 2019, exfiltrating user information and establishing access for future compromise

www.bwslaw.com 31 ADDITIONAL ATTACKS AFFECTING GOVERNMENT ENTITIES

December 2019 A Chinese state-sponsored hacking group attacked government entities and managed service providers by bypassing two-factor used by their targets

December 2019 Unknown hackers stole login credentials from government agencies in 22 nations across , , and

www.bwslaw.com 32 ADDITIONAL ATTACKS AFFECTING GOVERNMENT ENTITIES

October 2019 An Israeli cybersecurity firm was found to have sold spyware used to target senior government and military officials in at least 20 countries by exploiting a vulnerability in WhatsApp

September 2019 A Chinese state-sponsored hacking group responsible for attacks against three U.S. utility companies in July 2019 was found to have subsequently targeted seventeen others

September 2019 North Korean hackers were revealed to have conducted a phishing campaign over the summer of 2019 that targeted U.S. entities researching the North Korean nuclear program and economic sanctions against North Korea

www.bwslaw.com 33 July 2019 State-sponsored Chinese hackers conducted a spear- phishing campaign against employees of three major U.S. utility companies

www.bwslaw.com 34 Inadvertent exposure There are other unintentional methods of data exposure that can result in a significant data security breach event for cities. Inadvertent exposures can occur through loss of paperwork, sending data to the incorrect recipient, and loss of encrypted or un-encrypted devices.

35 TYPICAL PHASES OF WHAT TO DO WHEN RESPONSE A CYBER INCIDENT HAPPENS TO A CYBER-ATTACK • Investigation • Containment • Remediation • Notification

36 DETECT THAT A CYBER- ATTACK HAS OCCURRED

• Clear instruction about what qualifies • Who and how to notify • Timing for notifications • Notify cyber insurance provider

37 Classify the incident Once an incident has been detected, classify the incident. Examples include critical, significant, or minor. Determine ahead of time what is critical, significant, or minor for your organization

www.bwslaw.com 38 Investigate Contain

39 Triage and set objectives Consider what is most important for your entity—is it resuming service as quickly as possible? Is it protecting confidential information? Is it confirming the integrity of data where the integrity of data is critical for the entity? This likely will differ with what data, applications, and/or operations are affected

www.bwslaw.com 40 Remediation The goal is to restore the organization to its normal functioning. When a ransomware attack occurs, the best method of restoration, if you have implemented best practices and have backups, is to restore your system to normal functioning from your backups. Alternatively, it might be paying a ransom to get your files back, which we note is not endorsed by the FBI.

www.bwslaw.com 41 Notification Rely on legal counsel’s advice as to whether a data breach has occurred under applicable law. If it has, then you will likely need to notify affected individuals, and you may have to notify states attorneys general, credit agencies, or other entities as specified by the applicable law.

www.bwslaw.com 42 • Be skeptical of last minute changes in wiring instructions or recipient account information. • Verify any changes and information via the contact on file—do not contact the vendor through the number provided in the email. Cybersecurity • Ensure the URL in emails is associated with the business it claims to be from. Best Practices • Be alert to hyperlinks that may contain misspellings of the actual domain name. • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it is coming from. www.bwslaw.com There are general best practices for cybersecurity outlined by the FBI. They include the following: • Regularly back up data and verify its Cybersecurity integrity. Ensure backups are not connected to the computers and networks they are Best Practices backing up. For example, physically store them offline. Backups are critical in ransomware; if you are infected, backups may be the best way to recover your critical data.

www.bwslaw.com • Focus on awareness and training. Since end users are targeted, employees should be made aware of the threat of ransomware and how it is delivered, and trained on principles and Cybersecurity techniques. Best Practices • Patch the operating system, software, and firmware on devices. All endpoints should be patched as vulnerabilities are discovered. This can be made easier through a centralized patch management system.

www.bwslaw.com • Ensure anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted. • Implement the least privilege for file, directory, and network share permissions. If a user only needs to read specific files, they Cybersecurity should not have write-access to those files, Best Practices directories, or shares. Configure access controls with least privilege in mind. • Disable macro scripts from Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office Suite applications.

www.bwslaw.com • Implement software restriction policies or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular internet browsers, and Cybersecurity compression/decompression programs. Best Practices • Employ best practices for use of Remote Desktop Protocol (“RDP”), including auditing your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts.

www.bwslaw.com • Implement application “whitelisting.” Only allow systems to execute programs known and permitted by security policy. • Use virtualized environments to execute operating system environments or specific programs. Cybersecurity • Categorize data based on organizational Best Practices value, and implement physical and logical separation of networks and data for different organizational units. For example, sensitive research or business data should not reside on the same server and network segment as an organization’s email environment.

www.bwslaw.com • Require user interaction for end-user applications communicating with websites Cybersecurity uncategorized by the network proxy or . For example, require users to type Best Practices information or enter a password when their system communicates with a website uncategorized by the proxy or firewall

www.bwslaw.com 01 02 03 04 specific recommendations by the FBI to take for protection Educate Multifactor Confirm URL Check against Business employees Authentication associated domain Email Compromise with correct name business attacks

www.bwslaw.com 50 05 06 07 08 There are also some specific recommendations by the FBI to take for protection Do not Monitor Verify email Ensure the supply accounts address (esp settings the against Business employees’ login mobile) Patch computer are Email Compromise credentials enabled to attacks software allow full email systems extensions to be viewed.

www.bwslaw.com 51 CYBERWARS: ATTACKS AND COUNTERATTACKS (I.E., RESPONSE AND PREVENTION)

Presented by Nora E. Wetzel League of California Cities October 16, 2020

52