GLASGOW, Scotland–Credit unions would greatly benefit from turning to hackers, according to one person. But in this case, “friendly hackers,” the same person said in remarks in which CUs and individuals were repeatedly urged to “take responsibility” for their digital futures.
In remarks delivered via video from Israel to the World Credit Union Conference in Scotland, Keren Elazari, an expert on cybersecurity and the first Israeli woman to speak to a TED event, offered her perspective on cybersecurity as a “friendly hacker.” But as she made clear, there is no shortage of unfriendly hackers looking to target individuals and credit unions every day.
Elazari walked her audience through a host of malicious cyberthreats to credit unions and other organizations, saying the bad guys have “evolved and adapted” not just in the methods they use to stage their attacks, but even as organizations, in many ways mimicking legitimate companies and their structures.
“One of the worst and most lucrative forms of cybercrime is ransomware,” said Elazari. “It’s almost the perfect crime. Criminals take away your access to your information and then they sell it back to you.”
Among the most vicious and effective pieces of ransomware has been the Ryuk virus, she said, noting that just like COVID 19, it has a lot of variants, as do other computer viruses. “The creators of Ryuk worked very hard to expand the speed and scale of the infection.”
Infection Vectors
As credit unions are aware and Elazari reminded, the “classic method” for inserting a virus is a phishing email that tricks the recipient into clicking or opening a link. More sophisticated attacks have targeted remote devices and networks, such as VPNs. And the most “creative” attacks, according to Elazari, use doctored documents, usually created in Windows 11, that instruct recipients to enable editing and content. “This is what launches the malicious malware,” she said.
One such recent attack hit Irish health care provider HSE with massive cyberattack that started with one email and eventually cost the company €100 million.
“It all started when one staffer interacted with a malicious Excel document. From that one device the attackers waited eight weeks before attacking,” said Elazari. The company published a 150-page report that is now available on what it learned that is publicly available and which Elazari urged credit unions to review.
Big-Budget (Scam) Operation
One of the best-known cyber-criminal groups is Conti, a Russian group that expressed support for that country’s attack on Ukraine. That angered a member of the group who is Ukrainian, who in turn leaked a substantial number of documents. Those documents revealed, she said, corporate-like plans that called for setting up more regional offices and included a $20 million budget for training, expansion, acquisitions and more.
“They operate much like a major tech department,” Elazari said. “It had an HR department, performance reviews and even an employee of the year. The group attacked Costa Rica, where a national state of emergency was declared.”
The leak of Conti’s internal records, said Elazari, helped contribute to the shutdown of the criminals’ public-facing website, including its dark web negotiation website.
“But my experience shows that when one criminal group shuts down another steps into its place,” she said. “Cybercriminals are very smart. They understand how to recruit people and work collaboratively. This is how a new type of crime was created: RaaS: Ransomware as a Service. The gang takes 20% of the affiliates’ take.”
Credit Union Targeted
One of those RaaS attacks, using the Lockbit 2.0 crime tool, hit a credit union: Envision CU, noted Elazari.
In the on-screen ransomware notes to victims, “They even recruit new affiliates from their victims. They have messages like, ‘Would you like to earn millions of dollars? Our company requires access to networks of various companies.’ They offer information on how to contact them. They even include product endorsements.”
While the focus is on the cyberattacks, Elazari said that is not the greatest crime. Instead, it’s the undermining of trust in institutions that she said is the greatest threat. It’s a pace that has only increased during the pandemic when many criminals used video solutions and invitations to participate in video calls to capture users’ credentials.
“One of the reasons these attacks happen is the result of what I call the expanding digital universe. Digital connectivity has grown exponentially,” said Elazari.
As have the resources available to criminals, she added, citing Shodan, a website that is the “Google for connected devices that are exposed. It’s an easy pathway into networks for attackers to exploit.”
Coming to Your Home
Driving that exponential growth in connected devices has been all of the connectivity now taking place in people’s homes, from Alexa to connected refrigerators to home entertainment systems and more.
“Do you have multifactor authentication on all your networks?” asked Elazari. “If you are not doing that, who else will be responsible for your digital self-defense? The irony is many of us still use passwords. It’s like we haven’t moved into the 21st century at all. Many of us recycle passwords that are so easy to guess or crack. Hackers like to joke, ‘We don’t need to break in, we just need to log in.’”
Elazari recommended credit union leaders visit www.HaveIbeenpwned.com, a site created by a white hat hacker that lists whether an individual’s log-in credentials have been leaked. She said the site reveals a half-billion passwords have been leaked. The service is free.
“As we think about preparing ourselves for the future of cybersecurity, one lesson from the COVID pandemic offers an opportunity and that is to talk about digital cyber-hygiene,” said Elazari. “You wouldn’t give someone your mask during COVID, so don’t share your passwords. Just as we used masks as an additional level of protection, two-factor authentication and longer passwords can offer you that additional defense.”
The Good Guy Hackers
According to Elazari, “sometimes, hackers can actually help.” In this case, she’s referring to “friendly hackers” such as herself who function as independent security researchers who help people and organizations to understand security vulnerabilities.
For example, she cited the “bug bounty programs” that allow even the most conservative organizations to harness the world’s friendly hackers. Google, Tesla, Intel, Western Union and more have used the program.
In fact, Tesla even brought its first car to the largest convention of hackers and challenged the top hackers to find the most complex security and to penetrate it in the vehicle’s systems. The Defense Department also invited hackers to “hack the Pentagon.” The first person successfully did so in 13 minutes. He was a high school student.
“Now is not the time to keep calm and carry on,” said Elizari. “It’s time to adapt and evolve. It’s time to build you own digital immune system. Please choose wisely, the future is in your hands.”