Category Archives: Alert

Security alerts

Planning for a Ransomware Attack

You know that if publications like Forbes are running pieces on preparing for ransomware attacks that things must be getting bad.

The Forbes piece, written by former Deputy Undersecretary for Cybersecurity at DHS Mark Weatherford is good, but it leaves out a few things (I am guessing that Forbes gave Mark a word limit).

We continue to see multi million dollar ransoms being paid. Garmin is reputed to have paid $10 million and the University of California at San Francisco paid $1.1 million. Those are just a couple of very recent, very public ransoms paid.

We seem to hear every day of a new attack: Opus Capital Markets (Freddie Mac vendor), Honda, Fresenius, 41 health care providers. This is just a sample of the attacks.

So what do you do – how do you prepare?

These are Mark’s recommendations. I will add some of my own.

  1. Have a business continuity plan. When Travelex got hit by ransomware earlier this year they were literally out of business for a month. They can afford that – can you?
  2. Focus on the data. Mark says systems can be replaced. Not so easy when it comes to the data. How much data are you willing to lose? A week? A day? An hour? Many times the backups are accessible online. Convenient. And easy for the hackers to destroy or encrypt. If that happens, you have nothing.
  3. Regularly educate your users. That means, for example, you need to be phishing your users regularly and the fake phishes need to be very convincing. Regular means weekly. Different phishes for different people. This includes the executive team.

Okay, so that was end of Mark’s list. Here are a few of mine to add to the mix.

4. Make sure that everything is patched. Computers, servers, cloud, phones. While that may not stop hackers, no sense making it easy for them.

5. Have a TESTED incident response plan. When Equifax announced their breach, they gave out the wrong web site and the right web site, when they finally got that out – it was not even owned by Equifax. It was set up after the breach by someone at their marketing vendor. He owned it personally. Doesn’t inspire confidence by your customers who may have just had the worst day of their business life.

6. Have cyber insurance. This is your last resort. These days it is still pretty affordable. Norsk got paid $3.5 million by their insurance and they spent $60 million to recover. Make sure that the insurance covers all of the situations that might occur (they often don’t) and that you have enough.

Finally, plan, test and plan some more. A few months before the Sony attack that was blamed on North Korea, there was a very similar attack on the Sands Hotel and Casino empire. Didn’t hear about the Sands attack? That is because they were prepared.

Are you? The rate of attack and the price of ransom are both escalating. Don’t wait; prepare now.

Source Code from Dozens of Companies Stolen

Companies like Microsoft, Lenovo, GE, Nintendo and many others have created publicly visible repositories on places like Github. Some of these buckets are empty and some may legitimately be intended to be public.

But those that contain access credentials – userids, passwords and API keys – likely are NOT intended to be public.

Some of the code from, for example, game developers, may be valuable intellectual property.

You can kind of think of this as a variant of the Amazon S3 buckets which are discovered all the time without passwords.

The project, called “Confidential & Proprietary” takes that code and posts it on their web site.

Sometimes they tell companies about it in advance. Not always.

If they get a takedown notice, they remove it, but likely any damage is already done.

Bottom line, companies need to create a secure software development culture and protecting their code and credentials is part of that.

Does your company have a secure software development lifecycle program? Do you need help creating one? Contact us. Credit: Bleeping Computer

Ransomware Gone Berserk

As if ransomware wasn’t bad enough in the past.

As if ransomware 2.0 didn’t make you lose sleep.

If you thought that the pandemic was slowing down cyberattacks.

Sorry to be the bearer of bad news.

We are seeing new ransomware strains pop up at an alarming rate. In just the past couple of months we have seen:

  1. Avaddon – an email based attack that tries to lure you in by a subject line like Your New Photo? of Do You Like My Photo? The attackers sent out over a million emails in just one week trying to compromise people’s computers. And they have an affiliate program that pays a very generous 65% of any ransom that they generate.
  2. AgeLocker– uses the Google developed Age encryption tool. They are demanding 7 Bitcoin to unlock your files (about $65,000).
  3. Conti – probably a successor to Ryuk. New and improved. Can encrypt 32 files at the same time for reduced time to detect before it is all over. It attempts to maximize damage.
  4. ThiefQuest – This is a piece of Mac wizardry. Not only does it encrypt your files, but it also installs a keylogger, reverse shell and other niceties. They were asking $50 to decrypt, but there is no way to contact the hackers. There is now a free decryptor, but if the goal was really to install the keylogger and back door, maybe they figure that you won’t notice that if you can get your files back.
  5. WastedLocker – a variant of the EvilCorp malware, it has been targeting U.S. Fortune 500 companies and demanding multi-million dollar ransoms.
  6. Try2Cry – This ransomware uses infected links and compromised flash drives to share the love. This one, too, seems to be decryptable.
  7. FileCry – Another amateur attempt. They ask from 0.035 Bitcoin or about $400 at today’s value.
  8. Aris Locker – This one threatens the user that if they snitch on the hacker, they will delete your data permanently. They are asking for $75 in ransom if paid quickly; $500 otherwise.

While some of these strains are not a serious threat, others are and these are just the strains that this article identified in the last couple of months.

Suffice it to say, ransomware is alive and well and not taking a break during these crazy times.

This means that you better be ready to deal with the situation if one of your employees accidentally opens an infected email and compromises your network. Credit: Cyware

Security News Bites for the Week Ending July 24, 2020

Cloudflare DNS Goes Down Taking A Big Chunk of the Internet Down

Good news and bad news. For companies like Shopify, League of Legends and Politico, among many others, Friday afternoon gave you a headache. You outsourced your DNS to Cloudflare and they had a burp. The good news is that because they are Cloudflare they were able to diagnose it and mitigate the problem in 25 minutes. While no one wants to be down, could you fix your internal DNS server meltdown in 25 minutes? Credit: Techcrunch

Great Article on How Norsk Hydro Dealt with a Ransomware Attack

Bloomberg has a great article on how Norsk dealt with their ransomware attack. Couple of thoughts. They spent $60 million to recover. Their insurance has paid them $3.6 million. You do the arithmetic. And, they weren’t dealing with ransomware 2.0 which really changes things. Check out the article on Bloomberg.

Grayshift Has a New Form of Spyware

Grayshift, the company that breaks into cell phones for cops and “other entities”, has come up with a new tool. Take a locked iPhone and put it on the Grayshift box. They install malware onto your locked iPhone. Then they give it back to the suspect under the guise of, say, calling their lawyer. The suspect unlocks the phone and the malware records the unlock code. Then the cops take the phone back and can unlock the phone without you. Likely Apple will figure out how they are doing this, but for now, it works. Credit: NBC News

First American (Title Company) Makes History

New York’s Department of Financial Services released a highly detailed set of security standards a couple of years ago for businesses that they regulate called DFS 500. This set of security standards dictates what controls and processes banks, mortgage companies, insurance companies and others must implement to protect the data that they store. First American is the first company that DFS has sued for messing up. There were 885 million records exposed and the fine can be $1,000 per record. You do the math and start the negotiations. Credit: PYMNTS.Com

Critical Infrastructure Can be Hacked by Anyone

Well that is not a comforting thought.

Cybernews is reporting that using an Internet of Things search engine (like Shodan, but they don’t say which), they were able to scan big swaths of the Internet. In their case they were looking for exposed IoT systems.

Not just any IoT, but critical infrastructure IoT. Here is just a sample of what they found.

This represents an onshore oil well and it looks like they could change flow from this interface.

This system seems to control five different off-shore wells.

Perhaps you would prefer to control the water supply instead.

Or perhaps you would like to drinking water undrinkable.

If you would prefer to mess up the other end of the process, maybe you could make this poop plant poop in the wrong place.

These hacks did not require a great deal of skill. They did not exploit zero day vulnerabilities that only nation states have access to. Sure it took some work, but these guys are journalists, not master hackers.

Only the electric grid as **BEGUN** to take these threats seriously and they are only taking baby steps.

In Europe, Facebook can be fined 125 million Euros for for not taking down a piece of terroristic content within an hour.

Have any of these companies been fined anything? I don’t think so.

Maybe hackers don’t want to start a fighting war, but for anarchists, who knows. Let’s say there is an anarchist in Iowa. Are we going to bomb Des Moines?

What if the hacker *WAS* in Des Moines but took over a computer in Germany to launch the attack. Are we going to attack Germany? Anarchists would like us to do that.

Needless to say, this is a bit of a mess and these are only samples of what they were able to do.

One of the problems that the critical infrastructure industries have is that many of their control systems were designed when people were still painting pictures on cave walls with ground up plants. Well, not exactly, but in technology terms, pretty much exactly.

If the government doesn’t FORCE these companies to pass security tests like the DoD is beginning to force contractors to deal with under the threat of not getting any contracts, nothing will improve.

Since most of these companies are regulated, their regulators need to approve the rate increases necessary to fix the problems and, for most regulators, this is a theoretical problem. After all, no one was provably killed by my decision not to force utilities to improve their security.

And since most legislators have trouble starting a Zoom conference without help from their millennial intern, I would not hold out a lot of hope for those same people understanding the complexities of industrial internet of things devices.

I just hope that it won’t take a Bhopal-style disaster to get their attention.

Ransomware with Terms of Service

So you thought only companies like Microsoft and Google had terms of service. Apparently that is not the case.

I keep talking about the horror that ransomware 2.0 is with hackers stealing the data before they encrypt it and threatening to publish the data if you don’t pay.

That means backups alone are not sufficient to protect you.

Now one of the first players to use ransomware 2.0 against victims is upping the ante by creating terms of service like a legitimate software provider.

Here are their terms:

  • If you do not respond to their attack within 3 days, they will publish that you have been hacked on their web site. They say that if you don’t start communicating within 3 days, you only have yourself to blame.
  • They say that negotiating means dialog and finding the “best” solution for both parties. If the “client” is too shy, scared or just can’t negotiate, that is, they say, exclusively the client’s problem.
  • They say that if you can’t figure out how much it is going to cost you to recover without them, they will help you. It will cost you over 10 million dollars. Not sure how they came up that number, but there you go.
  • If the “client” fails to start communication, they will start to publish the data. After 10 days they will publish all of the data. I suspect this is due to victims stringing them along. Maybe they figure that if they are not going to get paid, causing pain may get other people to see things differently. If you see your competitor’s data laid out on the Internet and you get hit, you are more likely to pay, probably.
  • Once they start publishing the victim’s data they will start notifying regulators, customers of the victim and partners of the victim. Every state has a privacy law. If the data that they publish includes personal data of California residents, you can almost guarantee that you will get sued.

All of this likely is to try and put a lot of pressure on victims to pay. As companies improve their backups and business continuity programs, they have been less likely to pay, even though many high profile companies have paid, many of them silently. Many of them have paid millions of dollars each.

Ultimately, you need to do your best to keep the hackers out. That is the best solution. If you need help, let us know.

Here is a screen shot of their terms of service. I am not clear if their bad English is a scam – likely it is, so just ignore that.