NetDiligence Cyber Risk Canada Series just days away
Cyber risk management and service provider NetDiligence hosts its annual Cyber Risk Canada Series summit on April 26-29, 2021. Toronto’s virtual conference, one of five held globally by NetDiligence each year, is expected to attract hundreds of cyber insurance professionals, legal/regulatory experts, and security/privacy technology leaders from all over the world. This year’s conference features ISA Cybersecurity’s President & CEO, Kevin Dawson, who is scheduled to participate on a panel April 29 at 12:20 p.m. ET to discuss cyber breach remediation and restoration.
CSIS highlights cybersecurity concerns in annual report
The Canadian Security Intelligence Service (CSIS) released its 2020 public report this week. The new edition of the report provided a section dedicated to cybersecurity concerns and the threat they pose to national security.
The report describes the persistent and growing threats from nation-states, going as far as to explicitly name the People’s Republic of China and Russia as countries of concern. “Canadian interests can be damaged by espionage activities through the loss of sensitive and proprietary information or leading-edge technologies, and through the unauthorized disclosure of classified and sensitive government information,” explains the report.
“Canada remains a target for malicious cyber activities and a platform from which hostile actors attempt computer network operations (CNOs) against entities in other countries,” continues the report, highlighting the risks created by the increased reliance on computer technology for day-to-day life, coupled with the expanded threat surface created by the work-from-home environment so prevalent in 2020. The report also draws attention to recent threats to Canadian, British, and American organizations involved in COVID-19 response and recovery efforts; criminal activities threatened to steal intellectual property related to vaccine development and disrupt vaccine distribution.
CSIS continues to play an integral role in the execution of Canada’s National Cyber Security Action Plan, which summarizes the seriousness of national cyber risk succinctly: “The threats we face in cyberspace are complex and rapidly evolving. Governments, businesses, organizations, and Canadians are vulnerable. With more of our economy and essential services moving online every year, the stakes could not be higher.”
More Exchange Server vulnerabilities fixed on Patch Tuesday
Microsoft’s “Patch Tuesday” for April 2021 revealed that a new series of Microsoft Exchange Server bugs have been identified and fixed. Microsoft Exchange Server versions 2013, 2016 and 2019 are affected, with the vulnerabilities only found in on-site versions of the mail server platform – cloud services are not affected. Unlike last month’s Exchange server security flaws that shook the computing world, however, this set of vulnerabilities is not currently being exploited in the wild. Nonetheless, the fixes need to be applied as soon as possible; once fixes are released, threat actors are often quick to reverse engineer exploits to take advantage of unpatched systems.
FBI takes charge in helping to mitigate Exchange compromise
In a remarkable move revealed this week, the FBI advised that it had secured government approval to ethically hack hundreds of organizations to remove malicious “web shells” from onsite versions of Microsoft Exchange Server software that had been compromised.
A federal court in Texas granted the warrant that allowed the FBI to conduct the stealth cleanup operation, which started on Friday, April 9 in at least eight U.S. states. The system changes were made without notice or the knowledge of the organizations running the Exchange Server software, though the FBI has advised that it is making efforts to contact system owners – after the fact. The FBI apparently took the unprecedented step to mitigate the security risks being created by companies that still have not patched their compromised Exchange systems, several weeks after the news of the critical security flaws in the email platform.
The operation “did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells,” according to the bulletin from the U.S. Justice Department. The cleanup strictly focused on removing web shells which could potentially be used for remote access by threat actors. “The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).”
While the motives are laudable, the action taken creates an uncomfortable precedent. Companies are urged to do their own patching and secure their own systems without law enforcement making unilateral changes to their computing environment.
Energy regulator highlights unprecedented increase in cyber threats
At a virtual press briefing on April 13, North American Electric Reliability Corporation (NERC) Senior VP Manny Cancel described an “unprecedented” increase in cyber threats faced by the electricity sector over the previous 18 months. He explained that the heightened risk stems from the expanded threat surface created by the number of staff working remotely in the COVID-19 era, combined with increasing threats from foreign adversaries
The Hill quoted Cancel: “While cyber and physical security has always been a top priority, the events over the past year have really differentiated themselves… It really has been an unprecedented 12-18 months.”
Cancel did highlight some good news despite the gloomy cybersecurity outlook. Though nearly a quarter of the 1500 utilities affiliated with NERC reported that they had downloaded compromised versions of SolarWinds software, none of the providers had suffered a successful breach. “Our sector did not appear to be a target of this attack, and as a result we saw no threats that would indicate a compromise or any impact on the reliability of the bulk power system,” Cancel said. “We continue to watch this very closely,” he continued, highlighting the importance of managing supply-chain cyber risk exposures.
Cancel, a veteran in the industry, spent the bulk of his career at Conn Edison, serving as Auditing Director before spending six years as VP & CIO until his retirement at the end of 2019.
The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to assure the management of risks to the reliability and security of the continental power grid. Energy concerns in Canada and the United States recognize NERC in its standards and oversight role.
Another U.K. school hit by ransomware
Education was in the crosshairs again this week as the University of Hertfordshire reported that it had suffered a serious cybersecurity breach on April 14. According to its website, “The University of Hertfordshire has suffered a devastating cyberattack that knocked out all of its IT systems, including Office 365, Teams and Zoom, local networks, Wi-Fi, email, data storage and VPN.”
The university was forced to cancel all of its online classes for the balance of the week, but is confident that most live online teaching can resume by Monday, April 19.
A banner on the school’s website sought to reassure students and faculty that the attack only involved ransomware, advising that “there is currently no evidence to suggest that any data has been taken”.