Business Tech Playbook

#22 – Stories in the News

8 months ago
Transcript
Robbz

This is the business tech playbook. Your source for it. Help for your business.

BJ

Welcome to Business tech Playbook. This is William Pote, I'm your host. And my host Robbie Olsen, is basically, he's been sick for the last week, so he's going to talk only when spoken to.

Robbz

Man, I sound good, you know what I'm saying?

BJ

Yeah, he sounds extra smexy this week. I mean, he usually sounds amazing, but he's solidly in the sounds good plus six.

Robbz

We were going to talk about fishing. I even brought my fishing pole. But we need a little shorter topic today. So we have a couple others we've prepared in the hopper and it's just too much of a news cycle that we got to cover at least a couple of these topics that are happening with real world hacks that have affected so many businesses that it's more than just clickbait. So what do you got for us today? Not doom and gloom, but real life concerns that people should know about.

BJ

Yeah, so there's three things that have been recently in the news and have really impacted us, and it's part of what has kind of thrown off our recording cycle. We internally happen to use screen Connect, which is a remote access tool, so it allows us to connect to end users. Computers do work on their equipment and just really take care of business for them, unfortunately. So I noticed about twelve or 15 days ago, our screen connect instance randomly just was updated to a non. There was no documentation or release notes about the release, but we were suddenly ahead of the most current version. I was like, well, that's pretty weird, but okay, maybe somebody accidentally launched a beta release or something. Well, about two to three days after that they released a note saying, hey, there's a critical vulnerability. And so there are CVE scores. Basically they go from zero to ten. Anything over like an 85 or. Yes.

Robbz

What does CvE stand for?

BJ

CvE meaning, I know exactly what it is. It's common vulnerabilities and exposures.

Robbz

How bad is it rating? You know what I'm saying?

BJ

It's basically, yeah, how bad is it and how much do I need to care?

Robbz

It's like when your grandpa was in school and they talked about in the Cold War, how close are we going to be bombed now? We have that in the it. We have an it rating.

BJ

In some cases it's probably more critical than your Defcon rating, as painful as that is to say, dealing with nation state cybersecurity incidents. Yay. It's fun. This was a ten, which is literally the worst you can get. They do a lot of like nine point ones. 9.5. This was a ten. You literally don't have anything over a 10.0. It was unfortunately exceptionally easy to, exceptionally easy to trying to think of the right word. It was an exceptionally easy proof of concept for a threat actor to get onto your screen connect server and have basically complete remote access to every single machine. It was really wild. I'm going to be honest, normally I don't give Connectwise who's the owner company of Screen Connect a lot of credit. We've had our struggles with them, right? But they had everyone updated and they actually made a release because this went from the current version, which is 23, back to the original version one. Since they went back to the original version one. People that hadn't even paid for software maintenance for the last twelve or 15 years were allowed to update and get all the new features of that latest version because it allowed them to get the security update that would protect them for once. A company put security of the masses over making a profit. And I felt like their overall, they had a published release, they had a fix, they handled it really well. They had their entire, all of their cloud hosted stuff updated before they made a release. And then they started being just available for people that didn't even have the security, like the software maintenance packages for support. They were helping them because they cared more about protecting the public than they did about making a profit. And to be fair, some of that's probably marketing. But at the end of the day, they did the right thing, and I wish more companies did that. This was an incredibly bad vulnerability. Exceptionally easy to exploit, exceptionally easy to cause problems for downstream users. This makes the casse one, which took down a quarter million endpoints in 2021, look kind of pale in comparison. It was wild how bad it was.

Robbz

I think that the difference between people that heard about this cassea thing and this one is that Casseya had vulnerabilities because they found such a huge hard hitting thing. It hit chains of grocery stores that were 2000 businesses of a single chain. It just took them down. This, they had random actors hitting in multiple places, found vulnerabilities, capped it, and right now I'm pretty sure they still don't have a complete analyzation of how many it actually affected and how. I don't think we have a full date of how long they knew the vulnerability was there. I think they're still doing after actions to find out. Is that correct?

BJ

Correct. So basically they found out about it, I believe on February 18, and by the 19th, 20th, they had a published fix that they had rolled out to the entire cloud, hosted the tens of thousands of instances that they host for us, so, like ours. And they had mitigated the vulnerability through a couple of other methods. And then what happens is they also had a self hosted option, which is we run it on a virtual machine in our data center. We run it on a vm or droplet or something in azure or AWS, that kind of thing. Those have different mitigations depending on what we allow to the Internet. And so since it was such an easy, like, you could literally go to the ip of the screen connect instance, put in a backslash, type in whatever you wanted it to do, and it would effectively do pretty, it was exceptionally easy to exploit. And there was a couple of other companies like Huntress, who had a huge response. Like they really jumped in, made sure that they were taking care of people, offered to help everyone mitigate things, and they were basically going into a program like Shodan, which will scan the Internet for open instances. And they were calling people like they were trying to reverse engineer who was attached to what. And if they found something that wasn't patched, they were helping people patch it.

Robbz

Now, I want to do two things. I want to explain how these attacks work on the background at a high level. And two, I want to explain what this platform really does. So if you're out there and you want to remotely connect to a computer, there's a few different ways of doing it. One, you can use like a built in Windows tool. We call it RDP remote desktop.

BJ

There's also quick Connect baked in, which is pretty good.

Robbz

Yeah, quick Connect, that's generally how your grandson's going to help grandma remote into the computer. So can help grandma answer a question, play Facebook games, or with her email. Those aren't really a business tool. How businesses get it done is at least entry level ones. The world runs on Teamviewer. You probably heard of those to remote into stuff. Splashtop is really popular. And screen Connect, those are probably the top most common. I'm not saying that they're the best. I'm just saying that those are really prevalent out there in the wild for people to use and businesses. A lot of these tools that people buy have bundled in screen Connect more than any other company. For some reason, the salespeople over at Connectwise really got in bed with a lot of different people. So if you buy an RMM tool, I think ninja had it baked in. Every flavor has screen connect that I could find that were out there because they didn't want to build their own tool, so they just bought Screen Connect's licensing, added it to theirs. So if you wanted to buy all these different softwares that would come with it, if you had like, let's pretend you're a dental office, I've always used the trash guy, right? We talked about the trash program in the past. If you bought these line of business applications, the line of business applications had already come pre built in with a license to this. So I can't think of a single remote desktop application to remote into a computer that was pre built in more than Screen Connect was. So it was really embed with a lot of different platforms and I'd say most of the world's infrastructure.

BJ

Well, a ton of Screen Connect is one of those tools that just works and is super fast, and it's literally one of the best tools I see. Like you go jump on the sysadmin subreddit, and if people ask, what's a good remote access tool? Screen Connect is invariably mentioned first. And probably most I see a ton of people using it that are it folks. We have accounting folks that we know that use it simply because they need to access their clients computers. So you start thinking about it from that perspective. Screen Connect, it's in a ton of different installations and a ton of different ways. And the cloud hosted ones were less prone to incident. It's the self hosted ones that after the February 18 weekend. Yeah, it's been a long week for the screen Connect support staff, let's put it that way. So the timeline is. They got a reporting of the issue February 13. They validated the vulnerability on February 14. They announced a patch available on February 19 for all on premise screen Connect partners. They posted a security bulletin recommending partners patch, and it got added to the known exploited vulnerabilities catalog on February 22. They've done a really good job getting emails out to people and done a really good job. I think they were even going into old instances and updating them kind of proactively. The amount of work that they did was insane.

Robbz

So now, talking about a little bit of the gears between you mentioned Kaseya, their outbreak versus this outbreak. So this is all about a circumstantial chance. Who's going to find out the vulnerability first? Is it going to be someone that's going to report it publicly and give it to someone malicious? Or is it going to get in the hands of someone malicious? Or is it going to get in the knowledge of someone that can report to screen, connect properly, they're going to get a fix for it in that short amount of time. Because development work for such a big program takes time. There's no way that you can switch the program overnight. Much less people say, well, why couldn't you just shut off all the instances? That's literally saying, why couldn't you shut off everybody's connection for 80% of the world overnight? Be like, okay, now no one can connect. Well, you can't do that either. So what are you going to pick? You have to develop something fast, get a patch out and fix it. So with the case of other things like Kaseya, someone else got a hold of it before Kaseya did, supposedly. And then in dark realm circles, they know the vulnerability patch. They whip up their own scripts, programs, and hacks. They plan accordingly. And these people aren't near as fast as a company with a development team. So generally they're methodical and they plan carefully. They have the time. They don't have a ton of resources, and they will scope out their favorite targets and then plan their favorite night, which just happened to be July 4. Most it people are on vacation. They're out with their families. They're not worrying about the infrastructure. And then they hit as many businesses as they possibly could to make as much money as they could. So again, this could have been a lot worse. Luckily that they capped it the way they did. They got a hold of it and developed in a time, and now we're here.

BJ

And I want to be clear, I'm not throwing shade on what Kaseya did. I think from what I can tell, they did as good a job as they absolutely could responding. It was a really bad situation, right? I mean, they literally turned off like 40,000 hosted cassette instances while they figured out what the problem was. In this case, the bad guys found the vulnerability first. In this case, with connectwise, the difference is that a good guy, a researcher, found the vulnerability and reported it responsibly. I'm hoping they got paid a lot of money for that reporting because it saved a lot of people a lot of heartache because at this point, it was only a matter of time before somebody else figured it out.

Robbz

If you find something this big, this groundbreaking, like you said, level ten on that horrid scale, they should get a reward. They should treat people that, hey, you don't get nothing for doing the right thing. Here's something to reward you for doing the right thing.

BJ

Most SaaS companies have some kind of bug bounty program. Where they pay out 510 $50,000 per bug reported, especially if it's a security vulnerability. I'd imagine for Connectwise to pay out even 100 or $200,000 for this versus this going out to this was a drop in their overall marketing budget. Like, they should just chalk this up to marketing. Give the guy like half a million bucks because he just saved a ton of people a lot of heartache and a ton of bad marketing and pr for, like, they came out looking really good because they did the right thing with the information that they were given. And again, this is not me being throwing shade on Kaseya. I think they did a good job handling their situation. It's just the bad guys got it first.

Robbz

So if you're hearing this podcast, you use a tool called Screen Connect. Because even our customers, we're not the only people that use that tool to access the computers and servers. Our customers. If you're a remote user and you are a customer of ETop, we give you this tool so you can use it. So if you're working from home, you can connect to your own computer. So if you're a user of screen connect and you're listening to this, you're probably patched. But in case, do your homework, check you are and make sure that if you're our customer, if you're our customer, you're patched. But if you're not a Etop customer, definitely check your instance.

BJ

Well. And so as a result of that, we basically ran a we can tell. So screen connect installs side by side nicely. So we have vendors that use screen connect in our client environments that do other things than what we do. Right. So there's some EDI vendors, some bi, some other intelligence type vendors that we have going into client sites that we happen to know that they use screen connect. So we basically checked every single endpoint across our environment to figure out who had screen connect on their machines that wasn't ours. We then reached out to each of the vendors and said, if you don't update, we are uninstalling your access because it's that big of a risk. I don't want a customer. It was that big of a risk. Long and short.

Robbz

Yeah, it's like, hey, we can't connect. Sorry, your instance isn't patched. We had to cut you off. Yes, we'll help you patch it. Just let us know.

BJ

Yeah, so they called the vulnerability slash and grab because you could do it with a backslash and put in a python code or type command and it would actually, as they said, the exploit is trivial and embarrassingly easy. We can actually put a link to the Huntress blog in the show notes that talks about it. It's a really good read on what happened.

Robbz

Well, now that we got that one, what's next on our list of fun?

BJ

So another really big thing that has happened this week. Apparently it's been a really bad week for cybersecurity news. UnitedHealthcare confirms ransomware gang behind the change healthcare hack. I'm imagining there's not too many people in the United States that weren't impacted by this UnitedHealthcare outage because of how much it impacted pharmacies. I saw a statistic that said that UnitedHealthcare does something like that. Change healthcare does something like 14 billion transactions annually, or about one in three us patient records. Like you're talking about 33% approximately of us citizens were impacted by this ransomware attack. That's a big deal.

Robbz

So it did affect that, and it also affected medica. I know because I'm a medica customer. My wife went to go pick up my prescriptions and thank goodness it wasn't for this recovering pneumonia that I have. It was other diabetic medications of all things, and show up to the pharmacy and they say, sorry, the entire system's down. We show records in our own personal system of you getting the meds, but the insurance company which uses instamed, which is owned by Medica, their entire medication platform is down. I believe it was continent wide because they offer Canada as well, is what they were telling her and how they were handling it at that point, because it was already two days into the issue was they told her that, sorry, because we have it in the system, and we show a doctor's note saying, you can have the prescription, we can get it to you. But because the insurance doesn't recognize it and recognize our authority of giving you the medication, they won't pay for it. So you have to pay for your med's full cost of whatever the cost is. And then Medica instamed says that after this is over, you can submit for reimbursal. And they said, immediately. My wife leans in, goes and says, okay, when is this over? And they said, that's the magic question. We don't have an answer for you. And they won't give us an answer of when this all will be over and when you can qualify to get a rebate. So my medication happened to be, I believe it was over a grand for that dosage. So let's say that I didn't have extra meds on hand. Let's say I didn't have a grand sitting around to pay for it at the moment, which both. I had extra meds on hand. Thank goodness I didn't have a grand on hand to pay for it. But let's say I didn't have both of those. The only way that they could serve me is tell me to go to the emergency room because they can't deny me medication at the moment to keep me alive.

BJ

Right. It's pretty crazy. Well, and so the part that's really wild about it. So about a year ago, we went to a security conference called right of boom, and they went through a complete situation brief of black cat and ALFv ransomware and a previous hack that they had gone through. Guess what? The UnitedHealthcare one was done by black cat and ELFV hacker groups. It's insane.

Robbz

When you say done by, you mean like they sat in a room and talked about how this could go wrong.

BJ

They basically did a situation brief on a previous incident or incident that Black Cat and Alfie had instigated. They did it again. So these guys are notorious for being just in the right place at the right time. I believe they're the ones who took out MGM. Black cat and Alfie are pretty much like the premier hacking League or premier hackers out there. And the part that's crazy is that a lot of the stuff they do is pretty simple. Like with the MGM hack, it literally was just. They called into the help desk, convinced the help desk that they were a mid level it technician that had access to the network. They got their password and MFA reset, and they did the breach with known good credentials. It's wild, right?

Robbz

It wasn't even the system. It was the human that answered the phone.

BJ

Yeah. They're the types of people that keep me awake at night. If people ask what keeps me awake, this is right up there.

Robbz

Not to bring you down when you're listening to the podcast, but we want to keep you informed. There's a lot of this going on. Like we said, affected so many for so long. So now, my wife went in this week, and I think it was two days ago we finally could get our medication. So don't quote me on this. I think I was down in the system for nine days. No, eight days. I'd have to ask my wife, because she's the one that picks up all the prescriptions. She's a nurse by trade and a prior pharmacy technician. So I fix her phone, she picks up the prescriptions. That's kind of how we work our life. That's the balance.

BJ

It's a good balance.

Robbz

Yeah. I just can't believe that. The fact that because of everybody thinks ransomware. Oh, someone stole my credit card. I'm going to have to wait a couple of days for a credit card. How inconvenient. No, this is so much worse. Imagine this happens and now you're out of diabetic medication and the only way you can stay alive is going to the ER. This is where we're at now, people.

BJ

Yeah, it's pretty wild. I'm trying to find the original statement from Black Cat and ALFV on the UnitedHealthcare.

Robbz

Oh, also that these mobsters have their own PR department.

BJ

Oh, they're like. And they're actually funny. Which is, again, I do not admire these people. They are doing some pretty malicious things, but they are interesting, that's for sure. I'm trying to find it.

Robbz

While you do, I'll go to the next one and we can loop back around. So doing something a little more closer to home, because we talk about nationwide stuff that really affected a good portion of the world. Let's talk about something closer to home. You have heard about mom and pop down the road getting ransomware. How that affects grandma. Can't get her computer. She's got to drop it in, pay some guy a few hundred bucks to go clean out her computer. Maybe she lost her photos, whatever else. Maybe her tax statement on her computer. But of course, this happens to every level down from grandma all the way up to the nationwide stuff. So here is the California city manager for Oakley, California declared a state of emergency to accelerate the city's response to a ransomware attack. This is a San Francisco Bay area city with about 480. And the city manager declares a state of emergency out of an abundance of caution because they have no clue what is all affected. They know that so many systems that they have for the city offices are effective, that they declare a state of emergency because they're now auditing. If they even can call 911 for emergency, fire, police and ambulances, if they have streetlights. What is in the world is all affected because so much is going down in the city. So they do an audit. And of course, luckily, 911 and emergency services were not affected. And they go through and find out that city offices, different city places were affected. But it's that level of panic that it affects so many things. An entire city just hits the panic button saying, sorry, the entire city is out of order for a while. Guys, we're figuring it out, and that's the thing.

BJ

And it kind of shows, I mean, this is a small city. I mean, it's 40, 45,000 people, but it's attached to a much larger metro of the Bay Area. It's showing that people aren't immune from this. And it kind of goes into one of the articles that I just found that talks about the deeper issues in America's infrastructure, where if it's online, we are dealing with a lot of nation state type actors. Russia, China, Iraq, Iran, Korea, or, sorry, North Korea. These are the nations that are going after american infrastructure. And be that hospitals, be that screen connect, and going after small business. At the end of the day, we need to be doing a better job of securing things by design from the get go, segmenting things from anything other than physical access. I hate saying it, but I'm an it guy who loves everything being accessible from anywhere. There might be something to be said about dedicated, completely isolated physical access networks when it comes to water or electricity or insert critical infrastructure here. But the paranoia starts to set in and it can be real.

Robbz

I wish there was a way of saying, hey, what's wrong with keeping my prescriptions on paper at my local pharmacy? My doctor, she's in her own personal, private care clinic. I'll take you a physical piece of paper, and then I'll send a snail mail into my insurance company. Come on, guys. I know I can't do that, but to keep myself out of the ER for not being compensated correctly, that seems fair. Now is now a concern in my life.

BJ

There are times where I'm like, man, paper is the best. I only ever go into a sales meeting with a notepad because it's not going to. My pen might fail, but that's it.

Robbz

Well, we talked to different things about, we've done a podcast and talked about insurance. We've talked about how we can keep downtime from happening continually. That's been a big thing on the podcast that we talked about and different security elements. But when people ask about security spend and we talk about what your insurance should do for you when you go down, talk about, I'd really like that not to happen. How can I come in and have this not happen? I don't want to have to sit down a conversation of, I'm a medical office. I don't have to want to send these people to, or I'm a pharmacy. I don't have to send these people to an ER. I'm an important service to my community. Why am I failing this group of people so they have to go to a different city or not be serviced by something important. Maybe if you're in something that is negligible, that isn't an emergency, you can have the conversation of yes, I'll do the security that I believe I need to. Yes, I pay for the insurance and maybe your security budget isn't as robust, but for you guys that have critical services that you offer to other people, this shouldn't even be a conversation. You have to at least do a bare minimum and have a real conversation. If this happens, what's my backup plan? What's my emergency state of getting around this?

BJ

Well, and it's part of why we don't have clients that aren't willing to do everything because it's too easy to do it wrong. But it's always been this way. I'm a small business. I'm not a target. The reality is the reason you don't hear about all the small targets that are taken out is because they're small. Nobody's going to talk about the little 15 person medical practice going out of business because they got ransomware. At most it's going to be in the local paper, but it's never going to become national news. And this is happening every day.

Robbz

Imagine what that would do for your career. Let's say I had that 15 practice, right. Let's say that for some reason I closed down and I wanted to tell people why I'm getting out of know I think I'm retiring. Golf is more for isn't no it know this know Kathy picked the phone, someone pretended to be a vendor. She gave some MFA key to some person on the phone. And now all my stuff went away overnight. I didn't have the correct insurance. So now I have to eat it. And I'm filing bankruptcy and I'm working for someone else now. I'm trying to do all I can to make sure no one knows this ever happened. To keep my resume as clean and hireable as possible.

BJ

Well, I mean, now the 15 people that relied on you for work have to go do something else. If as an it, an owner of an it company, we get hacked, is it possible? Yeah, 100%. I will never say it's not possible, but we literally do everything we can to avoid it. We do security awareness training, we do compliance testing. We run every single tool and then some that we recommend to our customers on ourselves. We make sure our stuff's hosted in all of the best places that we possibly can. We use the best software. We go above and beyond constantly because it's that important. I don't want to be the person who has to let five employees go, and then I'm potentially a risk to my 35 customers. And again, we're a small MSP. Imagine if you were an MSP with 600 employees. You've got 10,000 customers. You're dealing with security on a whole different level. Or if you're an enterprise it department, even if you have 500 employees. I mean, the reality is we only hear about the big hacks, and there's a ton of small ones that happen every single day, and it's impacting small business every single day. And we don't hear about it because it's small. But that doesn't mean they're not making $500,000 every time they do it. A lot of insurance is paying out a lot of money for small business.

Robbz

Ransomware events, and I promise you that if these big players could spend enough money to make it all go away, they would. So we're only hearing about the ones that they can't outspend.

BJ

Bingo. Well, like when Black Cat and Alfie publish a thing saying, we took you were they reported people to the FCC and SEC because they didn't do their reporting like they were supposed to. Like they were trying to sweep it under the rug. And the guys who hacked the bad guys, who hacked the good guys called them out for not doing the right thing. I'm like, wait, what? It blows my mind, kind of.

Robbz

That actually does hurt. Where's your moral compass at that point? Somewhere in the weeds.

BJ

Yeah. Well, and to be fair, the threat actors are doing it simply to motivate them to pay more money. My guess is if they had paid, they probably wouldn't have said anything. But it's a wild space. We spend a lot of time thinking about it.

Robbz

Yeah, they have done research on ones that have paid out, and not only is the customer service aaa, but the white gloves to make sure that they'll help to make sure that the news goes away somehow happens as well. So, crime on crime on crime.

BJ

Yeah, it's pretty wild. But I say all that to say there is hope. There's a lot that you can do for a relatively low price to make it much harder, make you much less of a target. The goal is to just be making yourself as resilient as possible. If you have all of the right things in play, it makes you more likely to survive, which is why you have cyber insurance, the right kind, that's scoped properly for your business. Go talk to fifth wall. Go talk to your local broker. Ask us some questions. We're not insurance agents, but we can help guide you the direction you should go. Make sure you've got backups, EDR, the next gen av. There's a lot of small things that you can do that cumulatively make a big difference in your survivability. And so it's becoming less of a matter of if you get hit and when, but then it's making helping all of your customers or helping you become resilient to these incidents.

Robbz

Well, we covered a bit of the news. We've talked about different solutions in the past. I think another one that we're prepping up is the human element. We talked about the MGM hack a little bit with. They just talked to help desk. Their tools weren't the problem. It was someone on the phone pretending to be someone else and getting in using that human element. So we're going to have a whole podcast on that one coming soon. And I can't wait to go over this one.

BJ

Talk a little bit about that before we talk.

Robbz

The Kevin Mitnick book. You know what?

BJ

All right. All right. If you want a book that will keep you from ever sleeping. So this is how they tell me the world ends. It's a book written from the perspective of, like, nation state hacking. Yeah, I got about halfway through and I had to stop because my paranoia was getting out of control. I'm not particularly a conspiracy theory paranoid kind of person. And this was giving me some challenges to sleep at night.

Robbz

Pretty sure they used that book to make that latest Netflix movie, how it ends, at least parts of it anyway.

BJ

Okay.

Robbz

I'm not sure if there's a direct correlation, but that was a goofy movie for sure.

BJ

Well, right on. Well, I think it'd actually be good for us to talk about security awareness training and social engineering on the next one with that. Yeah, right. Yeah. We have to end this on a.

Robbz

Happy note to do the law and order one. Chun, Chun.

BJ

Chun. Chun Chun.

Robbz

Yeah. Executive producer Dick Wolf.

BJ

Right on.

Robbz

Until the next one, guys. Thank you.

BJ

Thank you.

Episode Notes

https://www.huntress.com/blog/slashandgrab-the-connectwise-screenconnect-vulnerability-explained

For more episodes got to http://businesstechplaybook.com

Find more on LinkedIn: https://www.linkedin.com/in/william-pote-75a87233

This podcast is provided by the team at Etop Technology: https://etoptechnology.com/

Special thanks to Giga for the intro/outro sounds: https://soundcloud.com/gigamusicofficial