Two of legal’s top cybersecurity pros recount the latest, craziest cybersecurity and cybercrime stories of 2020, beginning with this week’s massive hack of U.S. government agencies.
COMPROMISED: U.S. Dept. of Commerce, Treasury, State, Homeland Security, NIH and the Pentagon
Graham Cluley reported on December 15 that the United States Departments of Commerce, Treasury, State and Homeland Security, the National Institutes of Health and the Pentagon have had their networks compromised in what seems to have been a massive supply-chain attack on American government systems.
The unwitting source seems to be enterprise monitoring software company SolarWinds, which has more than 300,000 customers worldwide. In a regulatory disclosure issued December 14, SolarWinds offered limited details of what happened.
According to the company, hackers “inserted a vulnerability within its Orion monitoring products which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run.”
The vulnerability was present within the Orion products and existed in product updates released between March and June 2020, after the attackers compromised the software build system for Orion.
SolarWinds said it believed the security breach was likely the result of “a highly sophisticated, targeted and manual supply chain attack by an outside nation state.”
Some experts are already blaming the APT29 hacking group (also known as “the Dukes” or “Cozy Bear”), which has close ties to Russian intelligence, but SolarWinds says it has not confirmed the identity of its attackers.
The breaches, which were made public after the high-profile state-sponsored compromise of cybersecurity company FireEye, is said to have resulted in some 18,000 customers of SolarWinds downloading malicious versions of Orion that could have been exploited by the hackers to gain backdoor access to networks.
Currently, we don’t know how many of those customers have actually experienced a data breach.
The prevailing theory seems to be that a state-sponsored attacker is responsible, perhaps focusing their attention on the highest value targets inside the U.S. government.
The Cybersecurity & Infrastructure Security Agency has issued an emergency directive urging all federal agencies to check their networks for evidence that they might have been compromised and disable SolarWinds Orion products immediately.
In a security advisory, SolarWinds has told at-risk customers to upgrade to Orion Platform version 2020.2.1 HF 1 “as soon as possible to ensure the security of your environment.”
This is one heck of a disturbing story. We sure hope the president-elect is working hard on plans to shore up the cybersecurity of federal government entities.
Now … Back to Our Originally Scheduled Craziest Stories Post!
Heaven help us — we hardly know where to start.
OK, we’ll just quote a headline from Vice: “New Yorker Suspends Jeffrey Toobin for Masturbating on Zoom Call.” You can’t make it up, right? Somehow a highly respected New Yorker reporter, during a call between several New Yorker reporters and a radio station, didn’t realize his video was on while he was touching himself.
He Was Not Alone …
A Florida court was Zoom-bombed in August by pornography after someone changed the secure Zoom defaults and allowed screen sharing, allowed participants to unmute themselves and completed the fiasco by posting the hearing link publicly at the Florida state attorney’s office website, complete with time and ID number.
That’s a trifecta of stupidity.
So the court hearing for 17-year-old Graham Clark of Tampa, Florida (alleged mastermind of the July 15 hack against Twitter, which resulted in a bitcoin scam after the accounts of high-profile Twitter users were compromised) was terminated swiftly after someone injected a pornographic video clip into the proceeding.
No matter how well Zoom secures its platform, if you mess with the secure default settings, you are setting yourself up for disaster.
A law firm in Oklahoma learned the same lesson earlier this year. On August 14, Oklahoma’s NBC 4 reported that an Oklahoma City law firm (not named) set up a Q&A session in May that was open to the public.
Someone named “Christine” joined the meeting and began showing a graphic video of a man sexually assaulting a child.
The meeting was brought to a quick close, followed by an investigation by both the Oklahoma City police and Zoom. User error again.
The Year’s Big Story: Ransomware
While we could recount Zoom stories forever, the big story of the year for the legal world was ransomware.
Law firms, bar associations and all manner of other organizations were hard hit. Ransomware surged by 715% in the first half of 2020, and 27% of victims are now paying the ransom, especially when the cybercriminals have stolen firm data before they encrypted it.
That gives the option, if you can restore your data from your own good backups, for them to demand a ransom for destroying your data rather than publishing it.
The authors had all but begged our clients to allow us to put endpoint protection on their networks. But three law firm clients did not and were subsequently struck by ransomware. To their credit, all three clients were quick to blame themselves for not listening to our entreaty. Happily, they all had backup protection solutions and were up and running in less than a day without having to pay the ransom. They all signed up for endpoint protection subsequently. A hard-earned lesson.
But if you want the craziest story of the year, we were called in by a firm (not previously a client) that had been struck by ransomware and was completely out of business with NO USEABLE backup. All the backups, local and remote, were deleted with no possibility of recovery. There were no multiple cloud backups impervious to ransomware.
The requested ransom was $250,000. We spent a pleasant Sunday afternoon with Homeland Security as we both realized we were dealing with a network that was completely and utterly screwed. Homeland Security understood the severity of the situation and did not object to paying the ransom. A ransomware negotiator (can you believe there are companies that specialize in this now?) got the ransom down to $100,000, which the (now) client paid.
What Could Go Wrong?
Even with the decryption key and multiple employees deployed to recover the data, it took a week to get them fully operational. Then we had to do a security assessment of the network because, clearly, their security posture was worse than anything we had ever seen, especially in a large organization. Here’s some of what we found:
- As mentioned above, the backups were not properly engineered.
- More than 100 users were using two- to four-character passwords to access the network.
- About 100 to 150 users were sharing the same password.
- There was no enforcement of password requirements and changing passwords periodically. It was OK for users to have their username and password be the same.
- There was no network diagram or documentation.
- Lots of software was out-of-support and receiving no security patches.
- Logging was not enabled, which complicated the investigation of the data breach.
- The onsite IT staff had a “no patch” policy. This is lunacy in the extreme. The staff member advised us that “patches break things” so he didn’t believe in them. Oy. For those who may not know, there are managed services that test patches before they are deployed. The updates are blacklisted if problems are discovered. Updates that pass testing are automatically deployed to managed devices.
An Inside Job
Switching gears, on November 4, it was reported that law firm Cole Schotz had obtained a restraining order against a former associate who allegedly used social media to disseminate confidential documents belonging to the firm and its clients.
Myles MacDonald, a former bankruptcy associate in the firm’s Wilmington, Delaware, office, appears to be a disgruntled ex-employee. He resigned from the firm in 2019, but at some point began releasing law firm files trying to damage “BigLaw,” against which he had some sort of grudge.
Lesson? Get data loss prevention software — and don’t forget to have an employee out-processing list. We’ve also seen intrusions from former employees whose access to the law firm network wasn’t terminated when they left or were fired.
For those who may not know, ABA Formal Opinion 483 requires that lawyers monitor for breaches of confidential client data, stop the breach and notify the affected clients. Now would be a good time to confirm that logging is enabled as a minimum — and perhaps implement some sort of IDS/IPS (intrusion detection system/intrusion prevention system).
One Last Nutty Scenario That Could Have Been Easily Stopped
We have seen an increasing number of business email compromises. In our home state of Virginia, a number of prominent lawyers’ email accounts have been compromised. We know this because author Nelson is a former VSB President, so she has been getting the phishing emails “from her friends” resulting from the compromises.
Remember, once they compromise your email, they have all your contacts, all your email, calendar entries and so on. There is nothing you can do about that once it has happened. You can only prevent it in the future (and why weren’t you doing this before?) by implementing multifactor authentication, which stops 99.9% of account takeovers. If you have been a victim of this kind of compromise, make sure the cybercriminal hasn’t mucked with your email rules — for instance, by auto-forwarding all subsequent emails to their address.
All these nightmares were real. Since we are all living in Crazytown these days, make sure you shore up your defenses, especially in a work-from-home environment.
Sharon D. Nelson (SharonNelsonEsq) is a practicing attorney and the president of Sensei Enterprises, Inc. She is a past president of the Virginia State Bar, the Fairfax Bar Association and the Fairfax Law Foundation. She is a co-author of 18 books published by the ABA.
John W. Simek (@SenseiEnt) is vice president of Sensei Enterprises. He is a Certified Information Systems Security Professional, Certified Ethical Hacker and a nationally known expert in the area of digital forensics. He and Sharon provide legal technology, cybersecurity and digital forensics services from their Fairfax, Virginia, firm.
Subscribe to Attorney at Work
Get really good ideas every day for your law practice: Subscribe to the Daily Dispatch (it’s free). Follow us on Twitter @attnyatwork.