Good guy hackers: St. Paul company uncovers companies’ cybersecurity weaknesses
The team assembled in a Plymouth parking lot under the cover of darkness.
Gearing up equipment, wearing dark clothing, they prepared for a break-in.
They walked in a single line to avoid security cameras.
“We actually will go at night, emulate an actual bad guy,” said Brian Halbach, a security expert with RedTeam security of St. Paul. “Break in using the same tools and techniques that the criminals use.”
Their mission this night: uncover cyber and infrastructure security weaknesses at Intereum, an office furniture supply company.
“We worked with this organization to do what we called penetration tests,” said Matt Quinn, Intereum’s vice president of integrated solutions. “They worked on trying to get through the perimeter, through the physical parts of the building … we also had them take some steps around cybersecurity, vulnerabilities.”
“Show you, yep, we were able to get through this door, we were able to bypass this censor,” Halbach said. “And at the end of the day we plugged into your network and took it over."
The idea is to beat cyberthieves at their own game before an actual ransomware attack or other threat.
"Try to look at any available computers that they could get through,” Quinn explains. “Try to get on to our network, once they got into the building, as well as continue just to snoop around where our servers are, just to see if they could get access to our network.”
The team is made up of two parts: One company, RedTeam Security, zeros in on computer systems. Their partner, FoxPoint Security, accesses the building itself.
“The more integration we have with our networks to our physical locations, the more ways there are to compromise it,” said Bryan Carver, a FoxPoint spokesperson. “If a building per se has a security network that locks the doors, or unlocks the doors, people, property, or operations could be held hostage.”
"Because if you have the most secure computer network in all the world, but your door’s unlocked and anyone can walk in and steal your laptops, that’s a pretty big issue,” Halbach added.
Within minutes, both teams are inside — although they’ve triggered an alarm system.
They quickly locate Intereum’s servers. Equipped with USB drives loaded with a custom code to remotely control the company’s computers, RedTeam finds an unlocked laptop that allows them access.
"We actually had an employee transition at the time, and that computer was left open and available that evening,” Quinn said. “And, of course, they got access to it, and that, of course, would be a vulnerability."
Intereum says despite that access, the RedTeam group wasn’t able to compromise the company’s network or servers.
But Halbach says the test was still a success.
"It helps them discover the unknown unknowns,” he said. “So it helps flush out the areas of concern that they didn’t even know exist."
Back at the team’s office, crammed with computer gear and hacking tools, Halbach explained more about the growing ransomware threat.
"Just with a couple of clicks of a mouse on an innocent-looking email, your whole computer is taken over with this big splash screen that is demanding payment,” he says, pointing to a laptop.
Experts say a simple click allows hackers to install malicious software designed to lock files on your device, and demand payment in order to unlock them.
Asked if the ransomware picture is getting worse, Halbach responds with an emphatic ‘yes.’
“The tools to do these attacks are getting spread around… it’s getting down to the point where a knowledgeable teenager can launch some of these attacks if they have the proper software, and they can tune it and launch an attack against you,” he notes. “It costs pennies, less than pennies to create the emails and send them out. And then the reward, absolutely huge."
How large is that reward?
“Every year, the FBI will put out a report that measures it in billions of dollars of damage to the economy,” says Professor Jonathan Wrolstad, a University of Minnesota cyber security expert. “I’ve been doing this field of computer security since 2009, and every year it’s gotten worse, not better.”
A 2020 report by the FBI’s Internet Crime Complaint Center says while the nation was focused on the pandemic during the last year and a half, hackers were busily infiltrating personal and corporate computer systems. The reported losses from cyber crimes totaled nearly $4.2 billion.
Wrolstad says thousands of companies and governments are affected.
“2020 into 2021 has some of the largest attacks I’ve ever seen, both by the amount of money that’s getting paid by the compromised corporations, and also by the volume of attack,” he says. “Either through lost work time because a company’s network is down, and they can’t perform business due to ransoms being paid or through fraudulent wire transfers.”
The FBI says nationwide, ransomware losses are climbing.
Losses of $29 million have been reported to federal authorities in 2020, compared to $3.6 million just two years before, the bureau says.
The Department of Homeland Security says ransomware attacks are up 300% in the past year.
"We’re talking about criminals who want to make money illegally, or who want to do harm, independent of a profit motive,” Secretary of Homeland Security Alejandro Mayorkas told ABC News.
Wrolstad says specific numbers, including in Minnesota, are difficult to track because companies are reluctant to disclose they’ve paid a cyber ransom.
"I think it’s correct to say they don’t want it to be widely publicized because they’re afraid it could make them look bad,” he said. “And it could look to the customers like they’re not protecting their information well."
Wrolstad says this is a problem that is not going away.
His advice: Back up critical systems separately and get a security check.
"It’s a good idea of course to search for any vulnerabilities within your corporate network,” Wrolstad advises. “And it’s also good to hire somebody to double-check and examine those vulnerabilities in case you miss any.”
Experts say ransomware demands are not cheap.
A recent Verizon study found most breaches range between $826 and $653,000.
ABC News says the largest ransomware attack, against an Irish software company over the Fourth of July weekend, demanded $70 million in payment.
The FBI recommends that companies should not pay these cyber-ransoms; that the practice only emboldens hackers to find more victims.
But some firms say they have no choice, because with their networks frozen, business is at a standstill.
Experts say the biggest problem is that you might not get your data back, even if you do pay.
Halbach says it’s a balance. While corporate security has gotten better, he also warns cyber thieves are growing more sophisticated and that anyone using a computer needs to be on alert.
"So it’s kind of this little cat-and-mouse game,” Halbach said. “So even if you’re doing everything perfectly, even if you’re doing everything correct, the attacker needs to be just one tiny step ahead of you, and then it’s kind of game over, everything else is a domino effect.”