Written by

A former FBI cybercrime investigator told StateScoop this week that the effect of the coronavirus pandemic of forcing entire organizations to work remotely has given ransomware actors a wider web than before, while Hacker tactics continue to mature into new threats.

The introduction of tens, hundreds, or thousands of personal devices and home Wi-Fi networks connecting to government IT infrastructure – as well as increasing demand for digital government services – have the potential to reduce public sector cybersecurity resources more than ever, said Austin Berglas, a former deputy special agent in charge of cyber investigations for the FBI’s field office in New York.

“Covid has allowed all cybercriminals to have a larger attack surface,” said Berglas, who is now the global head of professional services at BlueVoyant, a forensic investigation firm. “You have everyone 100% remote. Think about all the extra machines on the network. [Bring-your-own-device], people using their own devices that are not centrally managed. People had to cope very quickly, companies that had to take care of all the extra devices. “

Berglas perspectives echo those of other cybersecurity experts said earlier in the pandemic. But his comments also came as BlueVoyant published a new report on the ransomware threat facing state and local governments, saying the attacks have become more brazen and costly. While the pace of attacks seen by BlueVoyant in 2019 was largely unchanged from 2018, hackers’ financial demands increased exponentially, with the report putting up some $ 1,000,000.

‘Sent by a trusted user’

Berglas said these incidents reflected a shift in ransomware attacks from a “spray-and-pray” method, in which hackers widely distribute malicious links or attachments in the hope of luck, to a more targeted and “big game” hunt. In 2020, however, he said, attack styles changed again to also include theft and potential exposure of sensitive victim data, a practice first popularized by attackers using the The Maze ransomware that hit Pensacola, Florida.

This change, Berglas said, should force government entities to rethink how they prevent or respond to attacks.

“It changes the dynamics of business decisions,” he said.

The report from BlueVoyant, which works with ransomware victims and their cyber insurance companies to investigate and remedy the attacks, highlights an incident in January – two months before the start of the pandemic in the United States – in which Wisconsin towns of Oshkosh and Racine have had several of their computer systems disabled. While both cities had secure offline backups of their data, the immediate impacts were severe.

In Racine, the report says, the city’s websites, email, voicemail and bill payment systems have been taken offline, while Oshkosh has been “taken to bed.”

But when BlueVoyant investigated the incidents, it found that both could be traced to phishing attempts that could have been carried out by actors manipulating legitimate government email addresses that had been scanned in previous data breaches. , then obtained the dark web markets.

“Phishing emails are more compelling and malicious if sent by a trusted user,” the report says.

In Oshkosh, BlueVoyant found 555 unique instances of local government email addresses included in 38 different data breach events, while in Racine, the company found 266 instances of credential compromise in 18 violations that occurred between February 2017 and May 2020.

“Basically what happened is someone opens an email that looks pretty innocuous, but it’s very bad for your system, so someone opened it up and that’s it. that happened, “Oshkosh City Manager Mark Rohloff said in the report.

BlueVoyant later extended its analysis of compromised email accounts to 23 counties in Wisconsin that went from Democrats to Republicans in the 2016 presidential election, and discovered 4,518 instances of a government email address involved in 64 data breaches, including three instances in a 2016 massive violation of AdultFriendFinder, a social network for occasional assignments.

Outgoing traffic

Berglas, the former FBI agent, offered state and local governments many familiar recommendations, including two-factor authentication and other cyber hygiene measures. He also said that non-federal government agencies should continue migration to the .gov top-level domain, which includes features like two-factor authentication and site preloading using encrypted HTTPS protocol.

But he also said IT managers need to better monitor not only web traffic entering their networks, but also the outgoing signals sent by their systems, which can indicate whether they are being targeted or have already been compromised.

“We could see the outgoing traffic heading to known bad infrastructure,” he said. “It’s not the wrong analysis of the infrastructure. It is the sign of a compromise. A lot of people watch inbound traffic, but they don’t watch outbound traffic. We want to keep the bad things out, they’re already in.

Leave a Reply

Your email address will not be published.