This Week in Cybersecurity September 13

Another week, another roundup of cybersecurity news. The stories that caught my attention this week were the fallout of recent ransomware attacks, the impact of humans on cybersecurity, zero day flaws patched by Microsoft, and the use of deepfake audio for fraud scams.

Let’s dig in:

Balking at Ransomware

There have been a number of high-profile ransomware attacks in recent weeks—most notably the orchestrated attack against 23 cities in Texas. Between the attacks in Texas and an attack in July against the city of New Bedford, Massachusetts, attackers demanded nearly $8 million in ransom—and got nothing. Zero. Zilch. Nada.

In the case of New Bedford, the city was willing to pay some ransom—just not the $5.3 million attackers demanded. They would have gladly paid $400,000 to make the ransomware attack go away and tried to negotiate the ransom amount down. However, the attackers were unwilling to compromise, so instead they got zero. In Texas, the Texas Department of Information Resources was tasked with coordinating the response to the coordinated ransomware attacks and directed the affected cities to ignore the ransom demands.

The decision to pay or not pay ransomware demands remains controversial, though. Many argue that ransomware demands should be rejected out of hand and never be paid, but the reality is that many of the ransomware victims that have not paid the ransom have spent far more than the ransom demand to restore data and get systems back online.

Are Humans the Weak Link?

A recent study from Proofpoint—The Human Factor Report—claims that 99% of malicious attacks require human input or intervention to execute. At face value, that seems to suggest that humans are the problem, but there are other factors that come into play as well. Attackers are clever and the attacks themselves are increasingly sophisticated.

Still social engineering plays a significant role, but organizations are at least party responsible as well, according to Ryan Berg, Engineering Fellow at Alert Logic. Users are getting mixed signals. “Social engineering is an interesting topic that is so poorly discussed in the industry. A case in point would be requiring people to place any sort of trust in email as a communication mechanism at all,” warned Berg. “Since there are no formal definitions surrounding what is necessary to “prove” trustworthiness of email, should we expect anything different? The average user has no idea how to verify an email is authentic.”

Berg explained, “There was a time when email was simply text based, there were no attachments to download, or hyperlinks to click. Now this is the new normal (even our signatures have links).”

“If we don’t want people to click on links or open attachments received through a system that—at its core—is very difficult for even security professionals to prove both authenticity and trustworthiness, then perhaps we should not place the social engineering squarely on the plate of the attackers and realize that we are active participants reinforcing the belief that interactive email is a good thing,” stressed Berg. “If we don’t bring about a social change on what should or should not be in an email, then expecting this behavior to change is a fool’s errand at best. Having a layered approach is great but expecting users to be experts at both authenticity and trustworthiness is only one lost credential away from being taken advantage of and stating that 99% of attacks rely on human interaction provides zero value.”

Microsoft Patches Two Zero Day Flaws Exploited in the Wild

This past week was Microsoft Patch Tuesday. Microsoft releases patches and updates on a monthly cycle on the second Tuesday of the month. By definition, Microsoft addresses a variety of flaws and vulnerabilities during the monthly updates, but this month was a little unusual in that two of the patches address zero day vulnerabilities that were already being actively exploited in the wild.

Microsoft addressed 79 separate CVEs in the September Patch Tuesday release, but two are particularly critical. CVE-2019-1214 exists in the Windows Common Log File System (CLFS) driver, and CVE-2019-1215 affects the Winsock IFS driver (ws2ifsl.sys). Both flaws allow for potential elevation of privileges—enabling an attacker to elevate access from standard user permissions to administrator level privileges.

Attackers Take Fraud Scams Up a Notch with Deepfake Audio

Business email compromised (BEC) is a huge and growing problem, costing victims millions of dollars each year. Thanks to advances in deepfake technology, though, attackers have been able to take things beyond email. Deepfake is an artificial intelligence technology that enables someone to create fairly realistic fake video or audio of an individual. The more source material available for the AI to analyze, the better job it can do at recreating a realistic simulation.

A UK-based energy company recently lost nearly $250,000 thanks to a deepfake audio scam. Attackers called the company’s CEO using deepfake audio pretending to be the CEO of the parent company and demanded an urgent wire transfer to a “supplier”. With no prior knowledge of deepfake audio scams, the CEO had no reason to doubt the authenticity of the call, and the urgency of the request helps ensure the target will act quickly to fulfill it. It’s an expensive lesson to learn, and it probably won’t be the last time we hear about a company being duped out of thousands or millions of dollars thanks to deepfake audio or video scams.