This particular threat actor group is woefully underinformed, and based on their ransomware assumptions, is likely not from the US.

US school districts may appear to some have large budgets, but almost all of those budgets are committed to ongoing expenses that are deeply and contractually committed. There’s little to no discretionary budget, and even core resources are underfunded.  Not all that long ago, my public school textbooks were covered in years’ worth of markings from other students, and were written decades ago, back in the 70s and 80s. 

That the threat actors asked for $40 million and said they’d done their research merely proved that they were grossly uninformed. Asking for such an amount and saying you’ve done the research shows that.

Demanding such high ransomware from a school district also shows the worst of criminal intent – especially at a time when schools are struggling to sustain education in the midst of the pandemic, while taking on the added missions of reaching those kids suffering from food insecurity and unsafe home lives. Every independent security researcher and legitimate hacker group out there is trying to prevent exactly this sort of problem.

This attack underscores why cybersecurity for our public schools and local governmental agencies Must be part of the Infrastructure bill now being debated. 

The commercial and industrial sectors are learning that if they don’t invest in cybersecurity, they ultimately don’t have a product. The same holds true for the public sector – if local and state governments don’t invest in cybersecurity, they can’t effectively offer services and protect citizens’ data. Ultimately it impedes their ability to serve democracy on even the most basic levels, including protecting our childrens’ futures and offering fair and honest elections.

School systems will remain top targets, both because they don’t have the funds or resources to put security first, and because the PII of children can be so lucrative.

Once threat actors get ahold of kids identities, they can take advantage and place victims’ lives and well-being at risk, both immediately and then down the road. The first clue a child might get that their identity has been stolen could be years down the road, when they’re turned down for college loans or credit. Kids have become automatic targets at young age.

Now more than ever, we’ve got to support school infrastructures, including development of urgently needed cybersecurity infrastructure.

It’s understood and is heartening that the massive infrastructure bill now being debated includes funding for cleaner and less plastic-laden water, safer transportation, the addressing of racial opportunity inequities, cleaner air and other urgent needs. The securing of kids’ identities is another critical element in securing our future, and that starts with establishing the cybersecurity infrastructure of our local school districts and local governmental cybersecurity.

The Accellion file transfer product used by Sintel is 20 years old, and continues to be used by many organizations in the financial, governmental and commercial sector to transfer large files, despite Accellion’s offering of newer and more secure file sharing solutions.  That’s problematic – it’s the kind of decision that puts companies at sharply increased risk.  The fact is that breaches are going to happen, and possibly through a 3rd party.

The takeaway is that when a company pushes out security updates and urges their customers to adopt them, companies then need to take that advice and implement them. Like patches, product upgrades are crucial to sustaining a strong security posture.

These statistics paint a useful picture of the crisis we’re in, but they also show that too many organizations are still running ad hoc and expanding the problem because they don’t know in a timely way when breaches happen. There are four simple steps that every organization should take. The first is passwords – company and customer account passwords should never have less than 20 characters because they’re just too easy to crack. Companies need to enforce stricter password policies, both for the good of the organization and for their customers’ sakes. Everyone should be using password managers at this point, and also be warned never to reuse a password on or from any other account. It’s just too easy for passwords to get stolen and exploited, and yet people still reuse their favorite passwords across accounts.

Second, MFA needs to be enabled and required, and not just SMS, but MFA that allows the user to take advantage of an MFA app. Third, security must be embedded during site development. If an organization is using open source code, they need to invest in scanning to ensure that it’s safe, and remember that anything you use for free needs an investment behind it. Last, invest in detection tools, backups, and encryption – all of which are essential and should be universally employed at this point.

The thing we need to understand is that you don’t have to be a highly skilled attacker to be able to successfully breach a system like this. Although alarms would’ve been triggered before any dangerous water reached anyone’s taps, this plant was very lucky that the worker noticed his mouse moving and was able to address it quickly. Water plants are not known for their security resources, and between budget cuts and COVID keeping people working remotely, they’re even more vulnerable. It’s becoming easier and easier to access systems like these by people who have hardly any experience at all.

The area this happened it has a high population of children, and it’s disturbing to think someone would attempt to do harm like this.

I love that they actually got the statistic – 768% increase in remote desktop attacks. That’s definitely a number we need to be paying attention to. And 29B attempted attacks for the year is a reminder that the bad guys never take a break. A few things everyone should remember:

1. Password security is crucial. Make them long, make them different, make them strong. Have a password manager. Use 2FA (or MFA) to help add that extra layer of security. And please, don’t click on anything without verifying it with the sender first.
2. Have a playbook. And make sure it’s kept up to date. If you don’t have a playbook you likely don’t know what you’re up against, which also means you’ll be up against that “something” sooner than you think.

As most of us continue to work remotely, double checking files and links is an extra step. You can’t just yell across the hall, or visit someone else at their desk. Doing any IT troubleshooting is sometimes more difficult as well. As convenient as we’ve made working remotely, it still presents these extra steps to help stay secure that some people aren’t yet willing to continue to do every single time. Be paranoid. As weird as you might feel, always be paranoid. When you let your guard down is when you fall victim.

mHealth apps – even before the pandemic – have had real problems with security. Unfortunately, many of these types of apps don’t have strong security – they don’t allow MFA, they only require short passwords, and of course, the API-related issues this researcher has underscored. As stated in the report, we’re seeing people using healthcare apps even more now as a necessity driven by the pandemic.

Another area of vulnerability is how the apps are put together. Are they using OS software? If so, are they checking for vulns in OS code? That’s a common problem, and it’s worth remembering that anything that’s free usually comes with a price.

This is a case study in why every government needs to step in and enforce some fundamental data privacy protection legislation with penalties. Not too long ago, attackers deleted this company’s customer data base – but they had backups and were back in business.

Now, because of a failure to practice fundamental encryption to protect their customers’ data, some 400 million peoples’ financial, location, national identity cards and personal data has been exposed, and their lives are likely to be upended at some point.

In 2021 encryption should be a no brainer. The first step must be better regulation governing all organizations collecting financial data and requiring them to use encryption. That mandate must come from all national governments large and small, with superpowers such as the US taking a lead, and with Zero Trust policies enforced as well.

Here in the US, we also lack requirements of businesses that reflect the practices mandated by the EU-US privacy Shield and GDPR. It’s past due time, and until our legislators take strong and informed actions, people are only going to continue getting hurt.

There are many layers to data privacy, but one of them centers around a fundamental need for governments to re-think and more aggressively protect our rights as citizens to own our own data if we so choose.

Major Tech has benefited and profited from the trust that consumers unknowingly placed in them to protect our data and hold it private, rather than commoditizing it.

We’ve inherently accepted that they are allowed to collect our data for their purposes, without disclosing how that data is being used. Today, the major social media companies know so much more about their billions of subscribers than most realize. In fact, in terms of consumer rights and transparency they act a bit like they are their own personal governments and tend to set rules that most aren’t aware of and don’t understand.

Documentaries such as “The Social Dilemma” are starting to peel back the layers of what’s involved in examining the current state of privacy rights and allowing consumers to reclaim ownership of their data. Europe’s “right to be forgotten” is a helpful model for what future US legislation could look like, but for the time being, social media’s unchecked data gathering has ballooned, prompting concerns such as about who is choosing the content that is being served to us, who has access to our data, and what they’re using it for.

It comes down in the end to how much data harvesting that We the People will awaken to and continue to permit social platforms to conduct. Will the public remain passive or urge legislators to take strong actions? One good start would be shifting from “opt out” practices to “opt in” ones – where decisions about whether and how much personal data to allow a social platform to share begins with the consumer, not with a company whose “opt out” mechanisms may be muddy and hard to navigate.

I find it really fascinating that in the U.S., we have the cheapest fullz at about $8/record. We know that in the countries that are the highest – Japan, UAE and Europe – they’re taking extra steps to make sure all companies are adhering to some sort of data privacy and protection. In the U.S., we don’t put it as high up on the priority list as they do, and this research clearly shows that.

Companies – and consumers – need to do better at privacy. Better passwords, having password managers, requesting multi-factor authentication. We need better regulation, better legislation. And, really, we need more overall awareness of our digital footprint. Close accounts you don’t or won’t use. Delete payment info. Reset passwords to be more than 20 characters.

It's easier to prevent a fire than to put one out.

It’s interesting that they are targeting construction – that’s an industry that hasn’t received as much attention from attackers as other sectors. Usually, attackers are focused on healthcare, finance, energy, and retail – but those industries have certainly increased their investments in cybersecurity training over the last two years, so these attackers cleverly shifted to construction, where every initiative involves tens of millions or often hundreds of millions of dollars, and deadlines and regulatory requirements must be strictly adhered to.

The attack approach was also clever: a fake login that already self-populates, so that most people wouldn’t be suspicious of the possibility of a phishing attack. Usually, when something self populates it’s viewed as legit and trusted. That’s why this campaign went undetected so often. They were clever but not clever enough, since they forgot to close their own server down and as a result, blew their chance to monetize their loot. 

We need to understand that these phishing attacks are getting more and more realistic, and the public needs to know that if they don’t consider their sector a target, it’s a very safe bet that it actually is.