Security Threats, They Are a Changin’
November 17, 2021 Alex Woodie
Ransomware came into 2021 like a lion, but rather than going out like a lamb, it seemed to get bigger and meaner. Even IBM i shops, which so often are protected from the wider security storm, felt the panic and sense of helplessness of having their previous data held for ransom. But early indications are that the security threat we’re talking about this time next year may be entirely different.
It’s tough to overestimate the impact that ransomware had on American businesses and other institutions through the course of the year. We had indications that something big was unfolding a year ago, when security researchers started calling attention to a wave of cybercrime they saw coming, which they dubbed “Christmas for ransomware.” Little did we know that the pace of ransomware infections in 2020 would essentially double in 2021.
By March of this year, the ransomware epidemic had hit epic proportions. High gasoline prices are making news now, but eight months ago, many residents on the East Coast couldn’t even get gas after a ransomware attack took down the Colonial Pipeline network, which supplies nearly half of the gas on the East Coast. Meat processing plants, hospital networks, and schools also feel victim to the ransomware attacks, many of which were perpetrated by Russian-based ransomware-as-a-service operations, such as REvil.
Independence Day fell on a weekend this year, giving Americans a nice long holiday weekend to rest and relax with friends and families. But apparently, the Russian cybercriminal gangs were working overtime, as REvil affiliates launched a massive ransomware attack that exploited a five-year-old flaw in the Kaseya Virtual System Administrator (VSA) software that 1,500 organizations around the world, bringing back poignant memories of the major SolarWinds supply chain breach that surfaced in 2020.
Like other pieces of malware, ransomware is designed to exploit more commonly used operating systems, like Linux and Windows. That would normally provide a bit of security for organizations that run business software on proprietary IBM i servers, which run the object-oriented IBM i operating system that generally isn’t susceptible to Windows and Linux viruses (IBM’s official stance is that it’s “virus resistant.”)
However, just as we saw with earlier generations of malware, the IBM i server has proven to have one glaring vulnerability when it comes to ransomware: the Integrated File System (IFS), the Windows-like file system that is increasingly used to store all types of stream files and unstructured data, such as PDFs. When one or more Windows PCs have drives that are mapped to the IFS, everything on that IFS is vulnerable to being lost in the event of a ransomware attack.
As cybercriminals ramped up their ransomware attacks, they soon started targeting IBM i shops. In late July, we told you about one IBM i shop’s harrowing experience battling ransomware. The attack occurred in May of this year, and it took out all of the company’s servers and PCs, except for the IBM i server and the AS2 server, which was offline due to a malfunctioning fan.
The vulnerability that let the attackers and malware in, a forensic investigator determined, was a flaw in Exchange Server that allowed criminals to send a malicious email attachment from a legitimate account. With its internal network crawling with cybercriminals, the company was lucky that its new Power9 server was left untouched, even though they had full access to it. The crooks probably didn’t know what it was, our company source told us.
If there’s one bright side to the ransomware epidemic, it is that it has led some IBM i shops to reassess their security configurations. The IBM i shop mentioned above thought it was running a relatively tight ship when it came to its Windows security, and paid the price for it. Now, it’s also doubling down on the IBM i side of the house, including improving password standards, adopting TLS encryption for ACS and RDi sessions, and exit point software monitoring SQL, ODBC, and other holes in the network that could let the bad guys in.
The security improvements echoed what the folks at PowerTech have been saying for years, that the poor state of IBM i security is a ticking time bomb. During a presentation of the HelpSystems 2021 IBM i Marketplace Survey this February, Ian Jarman, the Power Systems business unit executive, remarked: “I was frankly quite alarmed at the fact that so few people have exit point security in place or privileged user management.”
The onus is on business leaders to improve the state of security, Jarman said. “I think collectively, as a community, we need to focus more not just on the security capabilities that we have, but convincing executives in our companies that security is a challenge that we need to address together,” he added.
One result of the ransomware epidemic has been a surge in demand for safer storage devices, including tape drives, which store backups in a medium that is naturally air-gapped and can’t be tampered with or deleted by cybercriminals, even if they have full run of the IT shop. Surely, training users not to click on malicious links must be the first line of defense, as UCG Technologies offers through its partner, KnowBe4. But storing the data in a tamper-proof (or at least “tamper resistant”) manner has also become more popular.
IBM responded to the surging demand for ransomware solutions in July with the launch of a new data protection mechanism in its FlashSystem arrays. The new feature, called Safeguarded Copy, utilizes the FlashCopy mechanism borrowed from the DS8000 arrays to make copies of production data. In the event of a ransomware attack, there is a copy safeguarded from the attackers that the customer can restore. This feature is also available in the DS8000 arrays.
But perhaps the best way to thwart a ransomware attack is to have your IBM i systems properly configured. On this topic, there is a good paper called “Ransomware and IBM i” that was written by Robert Andrews, an IBM i security expert in IBM Lab Services, that is essential reading.
The ransomware threat may not be contained, but at least it’s better understood at this point. With the cost of an average ransomware attack doubling, from about $760,000 to $1.85 million (per Security Intelligence), few CIOs or CTOs can claim that they’re unaware of the threat that ransomware poses to their companies.
So what threats are we, as yet, still unaware of? According to Akamai’s latest “State of the Internet” report, the next threat lurking in our stacks may be APIs.
“We believe attacks on APIs are underdetected — and underreported when they are detected — making them one of the biggest threats organizations face,” writes Marin McKeay, Akamai’s editorial director, in the intro to its report. “DDoS attacks and ransomware are both major issues, and they’re both in the news today because their impact is so immediate and visible. The attacks on APIs don’t receive the same level of attention, in large part because criminals use APIs in ways that lack the splash of a well-executed ransomware attack.”
To be sure, APIs are in the news. They’re a core component of the modern data stack, which has business processes running as distinct microservices accessible via REST APIs. Companies with legacy applications, including IBM i shops with huge monolithic apps written in RPG, COBOL, and even Java, are looking to APIs as a core element of their modernization plans.
Unfortunately, the words “security” and “APIs” rarely go together. “If you’ve spent any time looking at APIs, you already know that security is too often an afterthought,” writes Veracode Chief Research Officer Chris Eng in the Akamai report. “We’re making all the same mistakes with API security that we made with Web security 20 years ago.”
The report also has this disturbing prediction: Gartner says that “by 2022, API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise Web applications.”
Just as APIs widen the number of channels by which companies can interact with the outside world, they can also provide more ways that criminals can impact those companies. “APIs greatly expand the attack surface that organizations must be concerned about,” Akamai writes in its report (which can be accessed here). “That means defenders and development shops need to work harder to address these problem areas.”
While companies are already working to shore up their API estates, more work still must be done, Akamai writes. For IBM i shops with APIs in their sites, building security into the equation from the beginning would be a good idea.