SecurIT 2019: Hackers may be in it for Lulz, but CSOs are in it for their lives

Big businesses may spend more on security but their complexity makes them easier to hack, a former teenage hacker told an audience of big-business CSOs in opening up a day of insights at CSO Australia’s SecurIT conference this month.

More than 120 security executives attended the inaugural Melbourne event, which brought together a range of speakers from industry and end-user organisations to explore the threats facing organisations and their CSOs today.

Smaller organisations had fewer potentially vulnerable systems and more predictable IT environments that could be effectively secured and controlled – which makes them harder to compromise. However, a history of problematic strategic decisions, such as Sony’s controversial move to silently install rootkit-based digital rights management (DRM) on many of its CDs, had made the massive entertainment company “a classic hacker target,” former hacker Mustafa Al-Bassam said in opening the conference.

Sony’s efforts to combat online piracy and protect its multi-modal business had led hackers to poke and prod its systems – with great success, since the firm was bristling with major core systems and ephemeral web sites that were set up to promote movies and music, then left abandoned but online.

That broad exposure made Sony the “game of the year” among hackers that breached the company nearly two dozen times in 2011 – the year when Al-Bassam, who had joined hacktivist and anti-group Anonymous in 2010 to support its anti-copyright control campaign, co-founded the LulzSec splinter group.

LulzSec – which would eventually lead the 16 year old hacker to arrest and a suspended sentence that forced him off the Internet for 2 years – went on a hacking spree that included posting fake news, compromising Web sites, and leaking the personal details of more than 80m users of Sony’s PlayStation Network (PSN) gaming site.

Years later, Al-Bassam – now a PhD candidate who has left his hacking days in the rearview mirror – said LulzSec “wasn’t really a hacking group, but more of a comedy group, in my opinion.”

“The point of LulzSec wasn’t to show that we were expert hackers,” he told the audience. “It was to show that internal security was not strong. The question was ‘why are all these systems suddenly being exploited?’ and the answer is that they probably were being exploited before, and there probably were a bunch of hackers in the system before – but those hackers didn’t have any reason to tell the world about them.”

Poor visibility could cost you

Data loss isn’t the only potential damage that hackers can cause, Sophos senior director of product marketing Anthony Merry said, noting that many attackers were focused purely on financial objectives – and are increasingly beginning their compromises by using ‘cryptojacking’ malware to implant cryptocurrency miners.

“The fact is that someone got into your organisation, whether through a phishing attack or a poorly configured firewall,” he said. “Once they’ve got those credentials, they’re in and can do whatever they like.”

Cryptomining tools capture free computing cycles from their victims’ environments and turn them into financial gain, and has become increasingly problematic for companies that already face issues with employees tapping into company resources to make a quick buck.

Although there are a range of views on the ethics of cryptomining, using company resources to mine cryptocurrencies creates availability issues for IT and cybersecurity staff, as well as problems for employees – as happened last year, when two Bureau of Meteorology (BoM) IT staff were investigated for allegedly leveraging that agency’s powerful computers to mine cryptocurrency. And last month, a Sydney government employee faced two charges that could potentially see up to 12 years’ imprisonment for allegedly mining more than $9000 worth of cryptocurrency.

Hackers leveraging victims’ computers for cryptomining often do so without fear of reprisals, however – and this can mean major problems for victims that may not even find out about the breach until major damage has been done.

Sophos was recently called in, Merry shared, to help a company deal with a cryptomining operation that hackers had set up in its Amazon Web Services (AWS) environment using stolen privileged developer credentials.

Those credentials gave hackers free license to spin up one virtual machine after another, scaling their cryptomining operations to massive scale out of office hours and winding them back when staff were more likely to be around to notice.

The operation was only discovered when AWS sent usage alerts warning of the excess usage – and received an eye-watering bill from AWS for use of virtual machines that had been accumulating at more than $US100,000 per hour, for four or five hours per day, for more than a month.

Given the potential financial gains, hackers have an interest in not impeding the operation of those environments. Yet that’s no guarantee of security, Merry noted: “if they get bored with cryptomining and the value of the currency drops to near zero, nothing stops them uninstalling that miner and installing something much worse.”