In this eye-opening episode of The Cybersecurity Insider, special guest Seth Melendez, a seasoned expert from WareGeeks Solutions, joins host Yigal Behar.
From the Colonial Pipeline to the NYC Law Department, Yigal and Seth tackle the alarming world of data breaches and ransomware attacks.
Security Oversights In Oil Pipeline Ransomware Attack
Yigal and Seth discuss a recent ransomware attack on an oil pipeline company. Yigal recounts the CEO’s testimony before the Senate, where the CEO claims the company invested $200 million in cybersecurity over the past five years. However, a company spokesperson later clarified that the $200 million includes all security initiatives, not just cybersecurity.
Yigal highlights the irony of the CEO’s statement about the compromised VPN account. While the password wasn’t as simple as “colleen1234,” the fact that it lacked multi-factor authentication (MFA) is a glaring oversight. Yigal finds the whole situation suspicious and suspects the CEO may be lying.
Seth remains skeptical, pointing out that the CEO’s claim of a $200 million investment raises more questions than answers. He questions how the money was spent, especially since the company seemingly neglected employee training on basic security practices like multi-factor authentication (MFA).
Yigal analyzes the situation, suggesting that even if the CEO’s statement is true, several issues come to light. The lack of two-factor authentication (2FA) and reports of the attackers already being inside the organization before the attack suggest a security breach. Seth proposes that the attackers might have captured the password through phishing, which was another flaw in the company’s defenses.
The lack of detection and monitoring mechanisms allowed the attackers to remain unnoticed within the network. This leads to a discussion of remediation, which suggests that the company may have additional vulnerabilities in that area as well.
Legacy Systems & Ransomware Recovery
Yigal brings up another interesting point: the company used a legacy VPN. He explains that the term “legacy” can be broad, but it could mean that this particular VPN couldn’t support 2FA, adding another layer to the company’s security issues.
The conversation then shifts to the ransom payment. Yigal reveals that the FBI recovered a significant portion of the $4.4 million ransom, but the recovered amount was less due to the fluctuating value of Bitcoin. Yigal advises contacting the FBI early in a ransomware attack, as they can help recover funds.
Yigal and Seth discuss the CEO’s decision to pay the ransom. Despite a $200 million investment, the company failed to enforce proper security measures. Yigal laments the lack of visibility into the company’s actions.
Not Doing Due Diligence When It Comes to Security
Seth references an article he read earlier, echoing Yigal’s point about compromised passwords. Seth focuses on the remote access aspect of the VPN, contesting why everyone seemed to have unlimited access. He notes the need for “granular authentication,” where access is granted based on specific roles and responsibilities.
Seth and Yigal agree that a lack of defense systems allowed the attackers to move freely within the network. They discuss how compromised accounts, likely due to password reuse on other breached platforms, could have facilitated the attack.
Yigal recommends disabling unused accounts, “Wait for a while, maybe, and then delete the account if you can safely do so. Don’t have [sic] access to it anymore. Or, if you want to keep the account, make sure to change the password. But again, now use 2FA. Maybe not in that legacy VPN system—maybe it had some sort of vulnerability that we don’t know about. So this is kind of the thing, they’re like simple stuff.”
The legacy VPN system might have had vulnerabilities, but they reiterate that the company neglected basic security practices. Seth expresses frustration that despite a $200 million investment over five years, the company failed to conduct regular security assessments and penetration testing.
Yigal puts in, “I would say because you have such critical infrastructure, a lot of people – millions of people – are dependent on your services. How come you don’t do your due diligence and check your system on a monthly basis? Okay, you can’t do it monthly, do it quarterly. Do an audit, check the accounts, right?
Seth agrees, “One of the biggest things is to make sure that people are following the rule of not using passwords more than once anywhere in your system or anywhere on the Internet because you can actually look for breached passwords nowadays.”
Password Dumps
Seth mentions the existence of a database created by the founder of “Have I Been Pwned?” that helps identify passwords that have been breached. He notes that many products integrate with this database, allowing for real-time checks during authentication processes.
Yigal chimes in, recalling a recent news article about a massive password dump. Although some of the leaked passwords might be old or changed, many are likely still in use.
Seth brings up the issue of companies not isolating their backups. He explains that in his experience, the best practice is to isolate backups on their own VLAN, allowing only specific traffic to cross. This prevents hackers from accessing the backup network in the event of a breach.
Yigal agrees on segmenting the backup network to protect against ransomware and other threats. Backups themselves need to be checked regularly to ensure they aren’t compromised.
Seth expresses disbelief at companies that spend vast sums on security yet fail to adequately protect their backups. He points out that having reliable backups can allow for quick recovery and stop the need to pay ransoms.
They discuss the recovery time, agreeing that it could take two to three weeks, especially if backups are stored in the cloud. Seth adds that even with cloud backups, local backups are necessary, and companies often offer to send hard drives to speed up the recovery process.
Backups & Disaster Recovery
Seth reminds listeners that cybersecurity insurance typically covers restoring and recovering data. He suggests that even if a company has multiple locations and needs to send out numerous hard drives to restore clean backups, it’s worth it to avoid trusting compromised servers.
Yigal agrees that if the company had followed this approach, they could have restored their major infrastructure within days and gradually brought everything back online.
He asks why the company didn’t invest in segmenting their backup network and having a solid disaster recovery plan. Seth criticizes the company for paying millions to hackers instead.
Yigal reiterates that paying the ransom might seem logical without backups, but it shouldn’t be necessary with a proper backup strategy. He speculates that the company’s leadership, including the CSO and CIO, might face consequences for the incident, citing the Equifax breach as a precedent where C-level executives were held accountable.
Yigal suggests changing topics after spending 15 minutes discussing a previous incident, mentioning an 8.4 billion entry data leak from 2021. Seth clarifies it’s called “Rock You 2021,” a massive 100-gigabyte text file containing combined data from previous breaches, making it easier for hackers to find passwords.
VMware Vulnerabilities & Security Best Practices
Yigal then shifts the focus to VMware, stating that threat actors are targeting unpatched VMware ESXi and Cloud Foundation software. VMware has released patches to address the vulnerabilities. He then questions the advice of not exposing vCenter directly to the Internet and using a VPN or jump box, finding it redundant.
Seth explains that even seemingly obvious advice needs to be stated explicitly to ensure proper security practices.
Yigal agrees on placing multiple layers of security—the “Onion Approach.” He mentions that only authorized personnel or IP addresses should have access to the jump box, and further restrictions should be in place for accessing servers from the jump box.
They both agree that most users shouldn’t need direct access to servers unless there’s a specific reason. Seth notes that, despite the recommended practices, some organizations still seem to do things differently.
Patching Systems
Yigal urges the need for patching systems. Seth recalls a 2007 cybersecurity book that remains relevant today. He expresses frustration that the same issues persist, and companies haven’t learned from past mistakes.
Yigal shares the sentiment, mentioning the tendency to blame China and Russia while overlooking the responsibility of American companies and IT professionals. He criticizes the inaction of C-level executives despite their claims of investing in security.
Yigal agrees, suggesting that the money isn’t effectively used, as successful multi-level security systems would deter attackers. Seth points out that breaches often occur due to simple oversights like weak passwords or lack of MFA, despite having a checklist of basic security measures.
Yigal questions why companies neglect even the most fundamental steps like patching. Seth humorously adds that some passwords are as simple as “poopsie1234,” referencing the Colonial Pipeline CEO’s denial of using a weak password. They compare getting robbed with a complex password to being robbed with a simple password, where the end result is the same—a security breach.
Yigal points out the concerning fact that the VMware vCenter vulnerability doesn’t require authentication if exposed to the internet. There is a need to restrict device access to specific IPs or sources and use a VPN with authentication. Also, “don’t forget to patch,” Yigal repeats.
Seth shifts to the idea of dedicating a future podcast episode to patching and password management, which Yigal enthusiastically agrees to.
Malware Targeting Windows Containers
Moving on, Yigal announces a discovery by Palo Alto Networks Unit 42: the first known malware targeting Windows containers. Called Siloscape, it infiltrates Kubernetes clusters through these containers to run malicious ones.
Seth compares the malware to a diamond in a glass case—even if vulnerable, it’s irrelevant if inaccessible. Regarding the problem of overly permissive access within organizations, Seth argues that not everyone, including IT personnel, needs backend access to containers.
Yigal notes the technical details of the exploit, including leveraging non-vulnerabilities in running containers and impersonating a service to obtain privileges using undocumented NTLM calls and symbolic links, where someone must have had initial access.
Seth insists that containers shouldn’t be directly exposed to the Internet, and while firewalls don’t guarantee prevention, they provide a defense layer.
Yigal adds that the exploit doesn’t require admin privileges, using ToR to connect to an onion C2 server. He advises verifying container image update processes for timely patching.
Disturbing Details of Cyberattack on NYC Law Department
Yigal shares that the New York City law department is being targeted, and he has insider information suggesting politics might be involved. He mentions a statement from the law department claiming they defended the attack and are investigating.
Yigal also reveals that sources believe China is behind the attack, specifically exploiting the Pulse Secure zero-day vulnerability to access the MTA computer system.
A forensic investigation demonstrated attempts to remove evidence that suggests the possibility of undiscovered system breaches and the presence of an active persistent threat (APT) within the network.
Before the end of the session, Yigal expresses concern about the link between the MTA and New York City systems and declines to comment further on the matter.
Follow and subscribe to The Cybersecurity Insider podcast for expert tips and breaking news in the world of cybersecurity. Catch us on YouTube for video versions or listen on your favorite platforms like Apple and Spotify. Join our community today!
