Information Security

How The DOJ Recovered $2.3 Million Paid During The Colonial Pipeline Ransomware Hack

Unless you’ve been living under a rock, you’ve almost certainly heard of the ransomware attack on Georgia-based Colonial pipeline on May 7th, 2021 that forced the company to freeze many of its IT systems in order to prevent further damage. The attack itself was perpetrated by an advanced persistent threat (APT) group that goes by the name of Darkside.

This particular APT group is highly sophisticated, and similar to groups like Maze, state that they will never target critical and other vulnerable bodies such as schools, hospitals and governments. In this instance, they went after the business side of Colonial Pipeline, as opposed to pipeline operations, which could have been devastating to oil and gas markets in not just the U.S., but internationally, as well.

How The DOJ Recovered Coins From a Bitcoin Wallet

According to a news release by the U.S. Department of Justice on June 7th, 2021, they announced that they were able to recover 63.7 bitcoins valued at approximately $2.3 million USD, by seizing a bitcoin wallet that was used by the threat actors.

When Colonial Pipeline paid the 75 bitcoin ($4.4 million) ransomware payment to the Darkside group, they would have had to send it to one or more bitcoin wallets. A bitcoin wallet is just a string of between 26 and 35 characters that will be entered as the recipient of a bitcoin payment. It’s kind of like entering your friends email address when sending them an eTransfer, except that bitcoin wallet addresses don’t identify the owner in and of themselves.

Bitcoin blockchain data is publicly searchable and available via various websites such as Blockchain.com. The DOJ was lucky enough to find out that the bitcoin wallet, and thus the bitcoins within it, were managed by a company in which they had jurisdiction. Even though the wallet address doesn’t identify the owner, the address needs to be generated by software. In this instance, that software was owned by an organization that the U.S. DOJ was able to get a warrant for.

With that warrant, the DOJ managed to obtain the private key for that bitcoin wallet, access it, and withdraw the funds within it. A private key is a second string of alphanumeric characters that gets generated for every bitcoin wallet address. This private key is just as a password for accessing the wallet, and should be stored securely and safely.

The funds took an interesting route their final wallet, so the DOJ simply had to follow the money until it was accessible. I’ve put the timeline into a table, and have included the last 6 characters of the bitcoin wallet so that you can see how they possibly laundered this through a number of other wallets until it sat in a wallet that the DOJ was able to gain access to.

DateSenderAmount (BTC)Recipient
5/8/2021Colonial Pipeline75xxxxxxxxxxxxXjc9fr
5/8/2021Unknown0.0005xxxxxxxxxxxxXjc9fr
5/8/2021xxxxxxxxxxxxXjc9fr0.00001693xxxxxxxxxxxxfytpsf
5/8/2021xxxxxxxxxxxxXjc9fr75.00034246xxxxxxxxxxxxXg7q5X
5/8/2021xxxxxxxxxxxxXg7q5X74.99998307xxxxxxxxxxxxfytpsf
5/8/2021xxxxxxxxxxxxXg7q5X0.00006748xxxxxxxxxxxxtKycsm
5/8/2021xxxxxxxxxxxxfytpsf11.24962019xxxxxxxxxxxxz99zwt
5/8/2021xxxxxxxxxxxxfytpsf63.74998561xxxxxxxxxxxxeqwg45
5/9/2021xxxxxxxxxxxxeqwg4563.7xxxxxxxxxxxxKcdNxB
5/9/2021xxxxxxxxxxxxeqwg450.04976631xxxxxxxxxxxxeqwg45
5/27/2021xxxxxxxxxxxxKcdNxB69.60422177xxxxxxxxxxxxcfsegq

What you might notice is that the wallet in which was seized by the DOJ contained a little more than 69 bitcoins. Colonial got the 63.7 bitcoins that the DOJ could track directly back to their payment, and the DOJ is going to be the recipient of 5.390422177 bitcoins, or just over $188,000 USD.

What Is “Security-Focused” Website Hosting?

Security-focused

The Internet has changed, and so has how the majority of us use it. According to Google there are 1,197,982,359 websites in the World as of January, 2021.

When the Internet was only made up of a few hundred thousand websites it was quite easy to get people to reach your website as you had a higher chance of being on that first page of the search engine page being used. As things grew, and when their were millions of websites around the world, search engines needed to become smarter. This led to Internet marketing and Search Engine Optimization (SEO) where individuals would learn the techniques that search engines use and then apply them to their websites to ensure that they “outranked” other websites.

Today, we have over 1 billion websites around the World, and the fact of the matter is that the people are getting to your website because they either already know it, or went looking specifically for it. Many Web Hosting companies still want to sell you “Website Marketing” services and super low-cost website hosting with unlimited everything.  Unfortunately, you aren’t using unlimited. In fact, you aren’t using even close to unlimited. A medium-sized eCommerce website might use around 8.5 GB of Transfer per month, given a 100 Kb page size and 1000 visits per month.

We let you drive traffic to your website in whatever way that you so choose, while we focus on keeping your website secure and available to your customers and clients. Our professional staff of Information Security professionals have over 15 years of experience in the Technology and Information Security industry, and following the guiding principles of Confidentiality, Integrity, and Availability (C.I.A.). We ensure the Confidentiality of your information, your website, and your clients and customers. We maintain the Integrity of your data in motion (transfer and delivery to your visitors) and at rest (storage). Finally, we make sure that the Availability of your website is their when you need it.

Your website is now an extension of your store front. How can we help?

Government of Canada Quietly Rolls Out Multi-Factor Authentication

Authentication

I don’t quite know when, but the Government of Canada seems to have quietly rolled out multi-factor authentication (MFA) on its CRA portal. I expect this happened at sometime within the last week, at least for me it did. The only information I found on their website is detailed in this post.

This new service, named GCVerify, is a phone/SMS-based MFA solution that is now required after logging in to your CRA Account with either your GCKey credentials or Sign-In Partner.

If it’s the first time that you’ve logged in since the implementation you’ll be walked through setting up MFA by providing your phone number. You’ll receive a code via telephone call or SMS to confirm your identity.

InfoSec Check

Identity Validation

This identity validation confirms that your phone number should be associated with your username.

You should never allow anyone to access your telephone or text messages. A threat actor with access to your text messages can bypass text message based two-factor authentication (2FA) very easily. If given the choice, you should use a 2FA application such as Google Authenticator.

After your setup you’ll be prompted to enter a one-time passcode every time that you login to CRA account. This includes both Personal and Business accounts.

Multi-factor Authentication page on the Government of Canada CRA Login
Multi-factor Authentication page as seen during the Government of Canada CRA Login

The Personal Information Collection Statement page, has also been updated (third paragraph) to reflect the changes, although the information itself leaves little to be desired. I’ve copied the specific paragraph that talks specifically about multi-factor authentication, below.

We have a multi-factor authentication process for our online services. We collect the telephone number (landline or cell), method of delivery of the one-time passcode (telephone call or Short Message Service (SMS)) and language of choice to receive the one-time passcode that you provide when enrolling in multi-factor authentication. We share this information with the third party responsible for generating and sending you the code. The code you enter is also shared with the third party to ensure it matches before allowing you access to our online services.

It doesn’t specifically mention which vendor, however, when I dug through the Public Works and Government Services Canada website, I came accross a tender notice title: Invitation to Qualify (ITQ) Identity and Access Management (IdAM) Software Solution, posted 2020/06/22, that has several mentions of multi-factor authentication. A bit of an assumption but I wasn’t able to find anything that was any more relevant. It lists N7030:ADP Software as the Goods and Services Identification Number (GSIN).

This is definitely a step forward, but hopefully not a stopping point for the Government of Canada. As mentioned, phone-based and SMS-based MFA does have it’s own issues, but at least it’s something, right? The fact that it’s enforced on each and every login is great, and the tokens definitely timeout, although I’m unsure of how long that timeout is. But, you can’t currently manage any part of that service, so if you want to update your telephone number you will have to contact the CRA helpdesk at 1-800-959-8281.

And no, you can’t disable it. But, I wouldn’t suggest that you did anyway.


Additional Resources:

Multi-factor authentication to access CRA login services

How Hackers Use Free Software To Spread Malware

Bad Microsoft Store Downloads

In a world where the Covid-19 virus is dominating and forcing businesses to shudder or employees to work from home, technology companies are stepping up in a big way to offer many of their services and products at reduced or no cost. This has made the forced transition to a primarily remote work force easier in so many regards, but it also adds an element of risk that some companies aren’t necessarily thinking about these days and I can’t blame them.

To understand the risk that software plays, it’s important to understand the multitude of ways that a bad actor can take advantage of companies offering free software to spread malware and possibly steal your data. When we talk about this type of risk we’re often talking about third-party risk. It’s third-party because you often don’t have the same control over the software as something that you might have developed in house.

Understanding the Software Supply-Chain

If you look at any piece of enterprise software in 2020 it will almost certainly be built with a number of frameworks like .NET, Node JS, and Ruby on Rails. These frameworks can save thousands of hours of development time by providing libraries of predefined code. In using these frameworks, you are likely NOT reviewing the code yourself, but are relying on the developers of these libraries to ensure that vulnerabilities don’t exist in their code.

A physical example of a supply-chain attack was the Target breach. A bad actor was able to take advantage of a flaw in the software of Target’s HVAC vendor. The vendor software that was running on the Target network had a vulnerability that allowed the bad actor to enter the network. Once inside the network they only need to find a way to move laterally to more important computers with more important information on them.

Free Software Makes Supply-Chain Attacks Easier

I love free software as much as the next guy, just make sure that you’re getting it from an appropriate source. A quick search on the very own Microsoft Store brought up a number of free software that was being peddled for cash (seen in the picture above). These are NOT official releases of this software, but they are certainly easier to access for any Windows user then the official. Here are the actual and safe links, for your information.

https://www.qbittorrent.org/
http://www.darkaudacity.com/
https://www.smplayer.info/
https://pwsafe.org/

There is simply no guarantee that the above publisher didn’t modify the software in some way that could track you, or steal data. In so many cases these publishers use Adware to make a quick buck.

Protecting Yourself

  • Track any third-party code or relationships to ensure that security releases are applied when appropriate. This might be as simple as an Excel spreadsheet or as complex as an entire third-party risk management department.
  • Always download software from official sources. A quick Google search of the software will often bring up the appropriate website as the first result.
  • Eliminate the human factor by providing employees with security awareness training on a regular basis.