Cyberwars and Ransomware: Attacks and Counterattacks Friday, October 16, 2020 Nora E Wetzel, Partner, Burke, Williams & Sorensen LLP DISCLAIMER This publication is provided for general information only and is not offered or intended as legal advice. Readers should seek the advice of an attorney when confronted with legal issues and attorneys should perform an independent evaluation of the issues raised in these materials. The League of California Cities® does not review these materials for content and has no view one way or another on the analysis contained in the materials. Copyright © 2020, League of California Cities®. All rights reserved. This paper, or parts thereof, may not be reproduced in any form without express written permission from the League of California Cities. For further information, contact the League of California Cities at 1400 K Street, 4th Floor, Sacramento, CA 95814. Telephone: (916) 658-8200. League of California Cities 2020 City Attorneys’ Department Virtual Conference Cyberwars: Attacks and Counterattacks (i.e., Response and Prevention) League of California Cities Nora Wetzel Partner with Burke, Williams & Sorensen LLP October 16, 2020 1 Introduction: A cyber attack is an attempt by an individual or group to infiltrate and compromise a computer system network, or device with the intention of causing harm.1 Cyberattacks and resulting data breaches are a growing and persistent threat to public entities. The attacks on the cities of Hartford, Connecticut, Lafayette, Colorado, Knoxville, Tennessee, and Torrance, California, are just a sampling of the numerous examples of attacks on cities. Yet, cities are often unaware of what do to combat cyberattacks, prevent data breaches, or what to do when they occur. In this paper and my presentation, I provide an overview in the public sector of methods of cyberattacks which often result in data breaches. I examine deliberate forms of attack, such as ransomware, malware, phishing, and business email compromise, as well as inadvertent exposure through loss of paperwork, sending data to the incorrect recipient, and loss of encrypted or un-encrypted devices. I offer guidance on what to do when a cyber incident happens. And, I offer some recommendations on best practices to prevent cyberattacks and data breaches through implementing best practices for cybersecurity, training, and appropriate policies and procedures. Section 1: Overview of cyber incidents in the public sector There are several stages to a typical cyber attack: reconnaissance, perpetration, and exiting and/or obscuring the attack.2 Reconnaissance refers to the phase where attackers gather information like IP addresses, domain names, names, or email addresses from a variety of sources, tools, and techniques, ranging from phishing campaigns, social network sites, Darknet3 data dumps, and scans of a corporate network. The attack can then be perpetrated in various ways. Popular methods include sending phishing emails, creating a false website, deploying password-guessing tools, or looking for open ports or vulnerabilities to gain access to an entity’s online services or network. Once the attack succeeds, the hacker expands his access. He may establish a persistent presence, retrieve information, make changes for his benefit, disrupt normal business operations by overloading an entity’s internet connection, or create a pathway for re-entry to either use for himself later or to sell to someone else to allow access to this third party. After completing the objective of the attack, an attacker may try to mask or hide his attack, making the attack more difficult to detect, thereby giving an attacker more time to complete his or her objectives. There are many types of cyber attacks, but the following techniques are commonly used to infect victims with ransomware, one of the most common types of attacks on public entities: 1 “How Cyber Attacks Happen”, https://www.equifax.co.uk/resources/identity_protection/how-cyber-attacks- happen.html;” Cyberattacks on the rise: What to do before and after a cyberattack or data breach” https://us.norton.com/internetsecurity-emerging-threats-cyberattacks-on-the-rise-what-to-do. 2 “The Anatomy of a cyber attack: Dissecting the science behind virtual crime,” Naveen Joshi, Dec. 21, 2018, https://www.allerin.com/blog/the-anatomy-of-a-cyber-attack-dissecting-the-science-behind-virtual-crime; “The Seven Steps of a Successful Attack”, Chris Stoneff, Jun. 5, 2018 , https://www.beyondtrust.com/blog/entry/the- seven-steps-of-a-successful-cyber-attack; “Stages of a cyber attack”, Nathan Cranford, Aug. 7, 2017, https://www.rcrwireless.com/20170807/network-function-virtualization-nfv/20170804stages-of-a-cyber-attack- tag27-tag99 3 The darknet or dark web is a network, built on top of the internet, that is purposefully hidden, meaning it has been designed specifically for anonymity. It is only accessible with special tools and software—browsers and other protocol beyond direct links or credentials. You cannot access the darknet by simply typing a dark web address into your web browser. https://www.csoonline.com/article/3249765/what-is-the-dark-web-how-to-access-it-and-what- youll-find.html . See also https://dictionary.cambridge.org/us/dictionary/english/darknet 2 • Email phishing campaigns4: The cyber criminal sends an email containing a malicious file or link, which deploys malware when clicked by a recipient. Cyber criminals historically used generic, broad-based spamming strategies to deploy their malware, while recent ransomware campaigns have been more targeted. Criminals may also compromise a victim’s email account by using precursor malware, which enables the cyber criminal to use a victim’s email account to further spread the infection. • Remote Desktop Protocol vulnerabilities5: RDP is a proprietary network protocol that allows individuals to control the resources and data of a computer over the internet. Cyber criminals have used both brute-force methods, a technique using trial-and-error to obtain user credentials, and credentials purchased on darknet marketplaces to gain unauthorized RDP access to victim systems. Once they have RDP access, criminals can deploy a range of malware—including ransomware—to victim systems. • Software vulnerabilities6: Cyber criminals can take advantage of security weaknesses in widely used software programs to gain control of victim systems and deploy ransomware. For example, cyber criminals recently exploited vulnerabilities in two remote management tools used by managed service providers (MSPs) to deploy ransomware on the networks of customers of at least three MSPs.7 Other methods of cyber attacks include advanced persistent threats (“APT’), denial of service (“DOS”), insider attacks, malware (ransomware is a type of malware), password attacks, and man in the middle attacks (“MITM”). APTs are where a hacker gains access to a computer or network over a long period of time with the intent to gather information.8 DOS attacks deny service to a legitimate user through two methods--specially crafted data which involves sending specialized data to a system that causes an error within the system thereby preventing the system from working, or flooding which involves overloading a system to slow it down so the system does not work.9 These are similar to ransomware attacks in that the attacker can essentially hold a system hostage until a user pays a fee to stop the attack and allow the system to return to normal. Distributed DOS (DDOS) attacks are when multiple computers are used to carry out the attack as opposed to a single computer.10 4 FBI Public Service Announcement, Oct. 02, 2019, Alert No. I-100219-PSA. https://www.ic3.gov/media/2019/191002.aspx 5 FBI Public Service Announcement, Oct. 02, 2019, Alert No. I-100219-PSA. https://www.ic3.gov/media/2019/191002.aspx 6 FBI Public Service Announcement, Oct. 02, 2019, Alert No. I-100219-PSA. https://www.ic3.gov/media/2019/191002.aspx 7 FBI Public Service Announcement, Oct. 02, 2019, Alert No. I-100219-PSA. https://www.ic3.gov/media/2019/191002.aspx 8 8 Types of Cyber Attacks Small to Medium-Sized Businesses Face”, Don Carfagno, Jun. 22, 2017, https://www.blackstratus.com/7-types-cyber-attacks-small-medium-sized-businesses-face/ 9 8 Types of Cyber Attacks Small to Medium-Sized Businesses Face”, Don Carfagno, Jun. 22, 2017, https://www.blackstratus.com/7-types-cyber-attacks-small-medium-sized-businesses-face/ 10 8 Types of Cyber Attacks Small to Medium-Sized Businesses Face”, Don Carfagno, Jun. 22, 2017, https://www.blackstratus.com/7-types-cyber-attacks-small-medium-sized-businesses-face/ 3 Insider attacks are attacks started by an internal user of a system—employees, contractors, or other internal users. Sometimes these can be unintentional mistakes where an employee does not practice good cyber safety, or it can be intentional where a current or former employee might attack a system for personal gain or revenge.11 Malware refers to “malicious software” which are programs designed for download to a computer to cause damage or breach without the owner’s knowledge.12 This class of software includes viruses, worms, spyware, and keyloggers.13 Ransomware is a specific type of malware that encrypts data and/or devices to block user access until a ransom is paid in accordance with the hacker’s demands. 14 Formjacking is a type of malicious javascript code used to steal credit card details from payment forms on the checkout webpage of e-commerce sites.15 Formjacking has been associated with a group of hackers