When You Can No Longer Trust The Software You Trust

By Randy Rose, Director of Cybersecurity

By Randy Rose, Director of Cybersecurity

A multitude of news stories within the last several months have revealed numerous businesses and products that are not as trustworthy as we, collectively, had previously thought. The first is CCleaner, a computer utility used to clean malicious and potentially unwanted files, such as temporary Internet files, which is, according to developer Piriform, “trusted by millions” for its “award-winning PC optimization 1 .”

So what’s the problem? It was compromised by hackers in August who redirected users to malicious servers hosting their own code rather than Piriform’s servers. According to Reuters, more than 2 million users downloaded a malicious version of CCleaner (CCleaner v5.33.6162 or CCleaner Cloud v1.07.3191) and may have exposed their computers and attached networks to a wide variety of threats, including ransomware 2. While Piriform claims that law enforcement helped mitigate any infections proactively, the fact remains that a trusted organization had their supply chain disrupted by a capable cyber adversary.

It was also recently revealed that another trusted software vendor, Hewlett-Packard Enterprises (HPE), allowed a Russian company associated with Russian Defense Services and at least one Russian Intelligence Service access to the source code for ArcSight3. ArcSight is a security information and event management (SIEM) tool which is used to correlate event logs and other alerts for cyber threat detection, analysis, and triage response, as well as monitor system compliance and similar basic security functions. The United States Department of Defense and many other government agencies in the U.S. and Europe as well as an alarming number of Fortune 500 companies employ ArcSight on their networks.

Okay, okay – what’s the big deal with showing them the source code? The problem is two-old. First, a program’s source code is the secret sauce that makes the program work. Source code is the human- readable back-end programming that contains all the instructions that the software gives to the computer on which it is running. Revealing a program’s source code creates the potential for someone to find a vulnerability, or flaw, in the code which allows that person or others to leverage it for their own purposes. And those purposes are usually not in the name of public good, which brings us to the second problem: the Russian Intelligence Service that may have been granted access to the code or to discovered vulnerabilities within the code is the Russian Federal Security Service, or FSB as it is more widely known.

The FSB was born of the ashes of the KGB and has two principle focuses: internal security and counterintelligence 4. The FSB has been loosely attributed by multiple threats intelligence firms to malicious cyber activity aimed at a number of commercial and government organizations around the world. In the cybersecurity domain, they are known by the monikers Advanced Persistent Threat (APT) 29, Cozy Bear, CozyCar, and Office Monkeys, and are associated with a wide array of malware campaigns containing the word “Duke” (e.g., CozyDuke, CosmicDuke, OnionDuke, etc.). The Cozy Bear group is assessed by FireEye to be behind the HAMMERTOSS malware which obfuscates malicious commands through commonly used websites Twitter and GitHub 5. In other words, it is well within the realm of possibility that the most sensitive inner workings of a major security tool used by healthcare organizations the world over allows remote access to a very capable cyber adversary which may now be able to easily disguise its attacks.

It was also recently revealed that the 2013 breach of 1 billion Yahoo! email accounts, which was the largest records breach of all-time, was not reported properly. In reality the number of records breached was 3 times as high at 3 billion 6! While most healthcare organizations shy away from using personal email services for business, they typically allow employees to access their personal mail from business networks which could well have exposed those networks to compromise. This risk is significantly increased when coupled with other poor security practices such as giving users local administrator privileges, lack of network segmentation, and not enforcing multi-factor authentication.

While ransomware remains a top threat facing health systems worldwide 7, it is important to remember that cybersecurity must address risk at all levels. Good cybersecurity requires a whole-of-business approach. When you lose faith in the applications and services you have trusted for years, it’s easy to feel frustrated and to wrestle with the next decision. Tasman Global can help you design a security program that reduces the most risk without depleting your IT budget because it’s tailored just for you.

If you are interested in learning more about cybersecurity mitigation and custom solutions please drop us a line because we’d love to chat!