1.Summary
With cyberattacks on the rise day by day, even
public institutions are not free from such attacks either. In late October, the
Toronto Public Library was severely affected by an email attack from the
ransomware group Black Basta. Crimes have been committed through malicious
attachments and URLs in emails. As these types of attacks can lead many people
to be targets of crimes through accidental clicks in our daily lives,
proactively responding to potential threats is important. It is possible by understanding the types of these attacks and
countermeasures specified in the international email security standards of the
International Telecommunication Union (ITU).
According to Deloitte, 91% of all cyberattacks begin with emails to victims. Despite years of attempting to educate users extensively on the risks and risk detection methods of emails through media and corporate security programs, these attacks are still evolving.
A recent report by the European Union Agency
for Cybersecurity highlighted the increasing vulnerabilities in public
administration and governments. These sectors, including education
institutions, are frequently targeted because they possess extensive amounts of
sensitive information, including citizen information, financial details, and
government operations data. Attackers can exploit and monetize this data for
identity theft, financial fraud, or selling it on the dark web. In addition,
the urgency and pressure to quickly address the issue are heightened because
these organizations often manage critical infrastructure and services essential
to daily life. Interruptions caused by phishing email attacks can lead to
confusion, increasing the likelihood of complying with ransom demands. This
article aims to highlight solutions that can proactively respond to
sophisticated cyberattack tactics.
Ransomware attacks on public institutions in
Canada, including York University (2020), TTC (2021), London Public Library
(2023), and Toronto Zoo (2024), have occurred steadily since 2020. According to
the Canadian Centre for Cybersecurity’s 2023-2024 national cyber threat
assessment report, ransomware has become the “most disruptive form of
cybercrime facing Canadian organizations.” Solutions to proactively prevent
these types of attacks are outlined in the standards registered with the
International Telecommunication Union (ITU), which is a specialized agency of
UN. This article aims to analyze these types of cyberattacks and allow targeted
companies to respond to potential threats.
Case:
Ransomware attack on the Toronto Public Library (TPL) caused by Black Basta –
Malware in an attachment, Malware in uniform resource locator
On Sunday, October 29, the Toronto Public Library (TPL) branch manager received a call from his supervisor with urgent news: "We’ve had a cybersecurity incident. We need you to activate the phone tree. Contact the staff and inform them of the situation. We're unsure of the scope, and we don't have computer access." When he checked, the "tpl.ca" site was offline, preventing access to online accounts and disabling services such as public computers, printing, and the “Your Account” feature at library branches.
Although the entire computer system went down, TPL officials did not attribute the attack to a specific ransomware operation, nor did they confirm the identity of the attacker. However, 48 hours later, an online publication, 'BleepingComputer,' revealed that the Black Basta ransomware gang was behind the attack after seeing a photo of a ransom note displayed on a TPL workstation.
Black Basta aimed to gain access to the computer network through various means, including phishing emails, infected ZIP files on websites (URLs), and malicious attachments. When a user downloaded an infected ZIP file, malware infiltrated the network, deactivated the antivirus system, located data repositories (including backups from so-called Mirror sites), and encrypted them to prevent network owners from accessing the data. The attacker then threatened to demand payments in cryptocurrency for the data's return or to post the stolen data on a public website, making it accessible to anyone.
Figure 1. Black Basta attack lifecycle based on Unit 42 incident
response cases (Unit 42 2022)
This type of attack is outlined in the international standards sections [7.1 Malware email attacks]. Attacks using malicious code can be divided into two types: phishing mail that leads to secondary and higher destinations through URLs, and inserting malicious codes into the URL in the attached file.
In the realm of email security standards, these types fall under the category of [7.1.2 Malware in an attachment] and [7.1.3 Malware in uniform resource locator]. These standards carry international credibility, being registered with the International Telecommunication Union (ITU), a specialized agency of the UN.
A malicious attachment is one type of threat in which attackers conceal malware inside commonly emailed files. The attachments within these malicious emails can be disguised as documents, executable files or even image and video files. These files can also be encrypted with other extensions. Attacks using executable files may involve spoofing the sender's address to deceive the recipient into opening emails with malicious documents.
A malicious URL attack is made by inserting a
clickable link containing malware in emails to induce users to visit malicious
websites. Also, malicious URLs can be contained in a large attachment or the
body of an email. This can be an attack that causes malware to be executed when
a user clicks on a URL in an email or regular attachment, not only at the time
of delivery.
To protect valuable information assets from these types of malicious attachments and URLs, Compliance with the requirements and countermeasures specified in the international standards is important.
Adhering to ITU-T X.1236 Standards Clause 8.1
and 9.1, [Security requirements to counter malware email attacks] and
[Countermeasures for targeted email attacks], can lead to effective solutions
and proactive measures.
To counter malware in an attachment attacks, the following requirements must be met:
- It is recommended to detect a forged file extension in various file formats.
By implementing this security requirement, proactive measures against malware in an attachment attacks can be taken as follows:
- Big data-based inspection scans all inbound and outbound email data of users on a regular basis via cloud service to extract malicious attachments that require further inspection. It determines whether there is a risk of targeted email attacks based on the data stored in the big data system. This feature identifies and detects a forged file extension.
To respond to malware in uniform resource locator attacks, the following security requirements must be met:
- It is required to trace the final destination of URLs within multiple linked URLs while checking all URLs for malware.
By implementing this security requirement, proactive measures against malware in uniform resource locator can be taken as follows:
- URL image conversion disables opening a URL link in a perceived dangerous environment where the attached malicious URL is recognized.
Complying with these proactive measures can
effectively reduce the risk of targeted email attacks with those types of
attacks above. Moreover, to understand and respond to these attacks, it is
necessary to be aware of and adhere to international email security standards,
using solutions that follow them. Mail
Inspector Platform provides solutions that align with these necessary
functional requirements.
Organized cyber attacks are becoming an
increasingly significant threat to governments. The government is at risk of
being a victim of any cyber attack, and the damage is blamed on its employees
and the general public. Email security standards play a pivotal role in
providing solutions to cope with advanced email attacks. Diagnosing email
security based on ITU-T X.1236 is a proactive defense against hacking
technologies. Compliance with international email security standards can be
initiated by conducting a thorough diagnosis of email security standard
adherence through Mail Inspector.
<91% of all cyber attacks begin with a phishing email to an unexpected
victim>
<SPACING INVESTIGATION: TORONTO PUBLIC
LIBRARY RANSOMWARE ATTACK, PT. I>
<Toronto public library outages by black
basta ransomware attack>
<Toronto Public
Library confirms data stolen in ransomware attack>
<Threat Assessment: Black Basta
Ransomware>
https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/
*The images used in this post were generated using artificial intelligence (AI).
![[Phishing URL] With just one click, your life can be phished](https://blogger.googleusercontent.com/img/a/AVvXsEiMZfwpN_jo42_q0JI6Cvn3pdWmBwZQ7ZjMhbFZA_firmlw2y0833OjRiWTtsWuU28F2BuzwH7gNRqifA0hHapX2ezZajNfa_SFZ84DRXr7_hDnoOP576GiLIou0MroeTU6U7ztyeyP_PcfoSPWOKyaESBvDlvnplTmduTRuT8npx-q49NkRYAirrN5JuU=w72-h72-p-k-no-nu)
![[Zero-day] Understanding zero-day attacks](https://blogger.googleusercontent.com/img/a/AVvXsEh2lWUhaQgbBMUsEIaEMq4-_EG0s_bz-VKacjDbO8N4TrTF1saQogoT6V2gDz7U8qaEJA-SMj3ngkstaZXyhjhGOrVIo8dJbrCnZptivX0XefGYiwoIr36kcsPMY6IQ_1J_3FyOOa0BKyVwXVOT48_5tUaK9RJRWxFiIgUM6mLm7YMA8EXUg3r3SA9I26U=w72-h72-p-k-no-nu)
![[Spoofing] Understanding Email Security and Spoofing](https://blogger.googleusercontent.com/img/a/AVvXsEjXTSVEx9-hYnpBUvm-rDLHpBJ8EzK0gwm5SIIWBAi--ObVwrAzsyArDLCIRpZmntrbW64m31GdtPBhmzjwNqgKiIgs9RU83Na0mxwIDqk2e_nlx4GRlSP7vHIPHasHURc2sHJGQZ2k3NXQvzf3swnrM3VWfCIhtfknj2vxadIJ9AWWWb1_DcWMVSqmKhw=w72-h72-p-k-no-nu)
0 Comments