Security Top of Mind as Massive Hacks Continue

December 4, 2024 Alex Woodie

The calendar indicates peace and joy, but instead a sense of dread and fear permeates business, as the number and scope of security breaches grows and new regulations loom on the horizon. Ransomware, in particular, is proving itself to be a thorny issue for companies of all sizes, including IBM i shops.

The latest mega-hack involved Chinse state actors infiltrating the American telecommunications backbone, where they not only accessed huge numbers of call detail records (CDRs) – which they used for counter-espionage purposes – but also read text messages and listened to Americans’ phone calls.

Known as Salt Typhoon, the hack is being called the largest security compromise in American telecom history. A combination of comprised passwords, aging equipment, and poorly developed integration points enabled hackers to embed themselves into the networks operated by telecom firms like AT&T, Verizon, T-Mobile, and Lumen.

The Salt Typhoon hack is an active persistent threat (APT) that has been active since 2020, the Wall Street Journal reported last month, and the cybercriminals may still have access to the networks. Forensic experts have been stymied by aging routers and switches that aren’t Windows-based and have been difficult to probe, Politico reported.

Of particular concern is the level of detail that the hackers obtained from CDRs generated from 5G cell towers. Since the towers are so densely located (owing to the higher frequency they operate at), the hackers are able to determine the geographic location of people to within a few meters. That poses a national security concern, experts say.

“This is far and away the most serious telecom hack in our history,” Senator Mark Warner (D-VA) told the New York Times last week. “This makes Colonial Pipeline and SolarWinds look like small potatoes.”

As American telecom firms come to grips with their legacy system issue, new regulations are poised to lower the boom on information and communication technology (ICT) providers. First passed in late 2022, the European Union’s Digital Operational Resilience Act (DORA) goes into effect on January 17, 2025.

Complying with DORA will require ICT firms to implement frameworks to reduce security risk, provide for continuous monitoring of their systems, have detailed incident response plans, and implement business continuity measures. DORA’s requirements extend to commercial third-party service providers (CTPPs) and financial entities (FEs) that do business with ICT firms in the EU.

Lest American companies think they’ve been let off the regulatory hook once again, the Strengthening American Cybersecurity Act (SACA) can bring them back to their security senses. The law, which was signed by President Biden in March 2022, requires companies operating any one of 16 specific “sectors of critical infrastructure” to notify the US Cybersecurity and Infrastructure Agency (CISA) of security breaches within 72 hours.

There are likely thousands of IBM i shops in CISA’s impacted sectors, which includes chemical companies, defense manufacturing, financial services, communications, energy, emergency services, healthcare, food and agriculture, water and wastewater, and transportation. Hackers linked to the Iranian Revolutionary Guard have also been connected to APTs impacting drinking water and wastewater systems, as we reported in March.

Here’s one more SACA requirement that might have slipped your security radar: Any company that makes a ransomware payment must report that payment within 24 hours. Non-compliance with any of the provisions of SACA can result in criminal prosecution.

After incidents of ransomware decreased in 2021 and 2022, ransomware rebounded in 2023, according to a report by Google subsidiary Mandiant, which found that victims of ransomware paid more than $1 billion to cybercrooks in 2023.

So far in 2024, the upward trend is continuing, as ransomware gangs get more brutal and more sophisticated in their tactics and techniques. According to data collected by Varonis, the average ransom paid in 2024 is $2.73 million, an increase of nearly $1 million from 2023. For comparison’s sake, in 2016, the average ransom payout was $10,000, according to data from IBM Security that we reported back in 2017.

Ransomware gangs increasingly are working with other cybercriminals who aren’t shy about threatening individuals. According to a June Wired story, patients of a cancer center in Seattle, Washington received emails from cyber stooges threatening to expose their information if the company didn’t pay up. The possibility of physical violence stemming from ransomware attacks is now a real threat.

SACA’s ransomware reporting requirements could alter the math of whether a victim decides to pay the ransom or try to recover their systems. MGM didn’t pay the ransom in the September 2023 attack that disrupted its computer systems at several of its Las Vegas properties for weeks, which ultimately ended up costing the company $100 million. Caesar’s, which was hit by the same ransomware gang as MGM using the same social engineering methods to obtain passwords for powerful user profiles, paid the $15 million ransom.

While 93 percent of ransomware targets Windows machines, per data collected by Varonis, that’s cold comfort for companies that rely on the IBM i server, which features the Windows-like Integrated File System (IFS). IBM i shops are getting hit by Windows-based ransomware that can encrypt data on the IFS, which can gum up all kinds of processes on IBM i, including workloads running natively on the Db2 for i database.

Avoiding ransomware in the first place obviously is the best approach to dealing with the threat. Precisely’s Rachel Galvez shared some good tips on IBM i security best-practices in a blog post last month.

While maintaining system logs, running backups, and having disaster recovery plans are good first steps, she writes, IBM i shops need to do more to really protect themselves from ransomware. She advises that IBM i shops use network segmentation techniques to limit access to sensitive areas of your network; implement multifactor authentication (MFA) to fortify access to critical systems; and encrypt data in the database.

IBM i shops should also lock down their IFS and minimize network shares, Galvez adds. However, since IFS configurations are different than general IBM i security configurations, this work isn’t always easy or straightforward for IBM i admins. The work is typically done manually through a QShell interface and is Unix-like, according to IBM’s IFS security primer. Lastly, Galvez recommends using exit point software to monitor and control access to IBM i, which can also reduce the odds of a successful ransomware attack.

Whether it’s sophisticated state actors or thugs with a PC and an Internet connection, online threats are growing. Many of the country’s critical systems run atop IBM i servers, which makes them targets for the bad guys. The solution is obvious, but it’s not simple or easy: Security configurations need to be tightened up. So far, IBM i shops seem to be getting the message on security, although positive action is still lagging awareness.

RELATED STORIES

Cybercriminals Targeting American Water Infrastructure, Feds Say

IBM i Security Concern Hits All-Time High, But Solution Adoption Lags, Fortra’s Marketplace Study Shows

Summer of IBM i Vulnerabilities

Why You Should Be Concerned About the MGM ‘Vishing’ Attack

Ransomware Epidemic Hits Epic Proportions, And IBM i Shops Take Notice

Assessing The Ransomware Threat On IBM i