VPN vulnerability linked to ransomware attack on Law Society: PDPC

SINGAPORE: A vulnerability in the Law Society’s virtual private network (VPN) was linked to a ransomware attack that affected the personal data of more than 16,000 members, the Personal Data Protection Commission (PDPC) said.

In its decision that was published on Thursday (May 11), the PDPC also found that an easily guessed password was used for a compromised administrator account and that the society did not conduct periodic security reviews for three years. 

These were not directly related to the incident, but were discovered during its investigations into the incident, said the PDPC.

WHAT HAPPENED

The commission launched an investigation after an incident on Jan 27, 2021, when a “threat actor” accessed the Law Society’s IT administrator’s account and used it to create a new account with full administrative rights.

Using this new account, the person “moved through” the society’s network without detection and located its servers. It then executed a ransomware attack on the servers, encrypting its contents. 

The attack denied the society access to the personal data of its members and former members. Every advocate and solicitor called to the Singapore Bar is a statutory member of the Law Society, as long as they have a practising certificate in force.

More than 16,000 members’ personal data was affected in the incident, including their full name, residential address, date of birth and NRIC number. Other data affected included business contact information.

The attack was detected on the same day by the antivirus software used by the society and it removed the created account. It also restored the servers to their original state from back-ups.

VPN VULNERABILITY

The PDPC’s investigation centred on whether the Law Society had breached its obligation under the Personal Data Protection Act.

It is required to protect personal data by making “reasonable security arrangements” to prevent unauthorised access.

The Law Society used an off-the-shelf secure VPN solution called FortiOS to manage remote access to its servers, and it also engaged a vendor to provide IT support services. This includes maintaining the VPN system.

Investigations disclosed that there could have been multiple threat actors targeting the Law Society, or the same group targeting it through multiple channels.

About 10 days before the incident, multiple unsuccessful login attempts using a “guest” account were found. There were also further unsuccessful attempts made using random accounts. But there was no evidence to show that was how the threat actor got access.

Investigations also revealed the Law Society was attacked by the Netwalker ransomware, most commonly introduced via phishing emails. However, there was no evidence of the compromised admin account’s credentials being obtained by the threat actor through phishing.

The PDPC also looked at the vulnerability of the VPN system. At the time, multi-factor authentication was not implemented for administrator access. 

The investigation revealed a vulnerability in the VPN system that could have been be exploited to gain access credentials if left unpatched. This was deemed to be a possible way the threat actor got the credentials of the compromised admin account.

The developer of the VPN system, Fortinet, said it disclosed the vulnerability as early as May 24, 2019. But the vendor said there was no prompt of the updates available for download prior to the incident.

In his decision, Deputy Commissioner Yeong Zee Kin said the PDPC has decided that it is reasonable for the Law Society to rely on the vendor to perform software security patching, including of the vulnerability.

The society had also discharged its duty of oversight of the vendor’s patching function.

For these reasons, the Law Society has not breached its protection obligation, the PDPC ruled.

WEAK PASSWORDS

But the PDPC also found there were other breaches of its protection obligations, but they were not directly related to the incident.

The commission found a weak password – investigations showed it was “Welcome2020lawsoc” – for the compromised admin account. 

It had been used for more than 90 days and was not changed every three months, as required by the Law Society’s policy. It had failed to enforce its password policy on the compromised account.

The PDPC also found that the Law Society did not conduct a review of its security arrangements in the three years prior to the incident.

The commission has previously emphasised the need for regular review of security arrangements and tests to detect vulnerabilities.

For these reasons, the Law Society was found to have “negligently breached” its protection obligations.

PDPC FINDINGS

The deputy commissioner said the Law Society’s breaches of its protection obligation – the weak passwords and lack of periodic security reviews – were not the “proximate cause” of the incident. It was caused by the VPN vulnerability.

The data affected was not of higher sensitivity, and the risk of authorised access to its members’ data was “limited” because of early detection.

“There was no evidence of any exfiltration or misuse of the personal data of the members and the (Law Society) took prompt remedial actions in response to the incident,” said Mr Yeong in his decision.

He ordered the society to engage qualified security service providers to conduct a thorough security audit, and to let the PDPC know its results. The society will also have to rectify any security gaps and inform the PDPC.

The Law Society said on Friday that it has engaged forensic IT consultants to do a thorough investigation of the security breach. It has also conducted its own investigations.

“In the past two years since the incident, we have already taken a number of proactive steps to enhance our cybersecurity infrastructure,” it said in a statement.

“Those include implementing multi-factor authentication for all VPN access and strengthening our in-house IT team to deal with cybersecurity matters.”