Category Archives: Breach

Security News for the Week Ending July 16, 2021

Supply Chain Attacks Roll On

The Accellion File Transfer Appliance vulnerabilities have been the source of many breach notifcations over the last several months. For whatever reason, they seem to be dribbling out. The newest one is Morgan Stanley. In this case, it was a Morgan Stanley VENDOR that was using Accellion, so instead of the third party attacks we talk about all the time, this is a fourth party attack. Of course, Morgan Stanley will take the heat, fines and lawsuits. Are you sure your vendors have your back? What about their vendors? Credit: Data Breach Today

Senate Finally Confirms Jen Easterly as Head of DHS/CISA

After CISA has not had an official chief for 8 months and after one Senator pulled a pre-July 4th political stunt that delayed her confirmation, the Senate unanimously confirmed Easterly this week. Easterly, who retired from the Army in 2011, was the deputy director for counterterrorism at the NSA, was on the National Security Council staff at the White House and is a two time Bronze Star recipient, is an outstanding person to lead CISA after Chris Krebs was fired last year for not following the party line. Credit: CNN

Did Russia Get the Message?

Remember the Revil ransomware gang? The folks that hacked Kaseya and JBS, among others? Well their web sites are no more. Did the U.S. take them down? Did Putin decide he didn’t like the heat? Will they come back later under a different name? Not clear. But what is clear is that people who were trying to get their files decrypted by paying the ransom – they have a bit of a problem as in kinda out of luck. My guess is Biden told Putin to fix the problem or we would fix it for him and he probably would not like the collateral damage. Credit: MSN

Hackers are Hard to Kill Off

Last year around election time the Pentagon was all full of press releases that they took down a Russian hacking operation called Trickbot. They have millions of victims around the globe. Bitdefender found that they are resurrecting their tools; updating them, etc. While Bitdefender found this particular tool using a honeypot, it doesn’t that was their only tool and it certainly does not mean they will shut down. It does mean that hacker networks are so profitable, that they will come back from the dead. Credit: The Daily Beast

Want a $10 Million Prize?

The feds are offering a reward of up to $10 million for information on operations conducted by actors working for a foreign government. On Thursday, the U.S. Department of State announced that its Rewards for Justice (RFJ) program now incentivizes reports of foreign malicious activity against U.S. critical infrastructure. The actions may include extortion as part of a ransomware attack, stealing information from protected systems, “and knowingly causing the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causing damage without authorization to a protected computer.” The feds set up a Tor site to report information confidentially. Credit: Bleeping Computer

Security News for the Week Ending June 4, 2021

Freaking Ooops: Us Nuke Bunker Security Secrets On Public ‘Net Since 2013

Details of some US nuclear missile bunkers in Europe, including secret duress codewords have been exposed publicly on the Internet. Journalists discovered it by using simple search queries. The information was on training flashcards, which should not have been public. It includes “intricate security details and protocols such as the positions of cameras, the frequency of patrols around the vaults, secret duress words that signal when a guard is being threatened and the identifiers that a restricted area badge needs to have”. The information has now been deleted. It was exposed since 2013. Good job, folks! Credit: The Register

If You Can’t Spy Yourself, Ask Your Friends for Help

It takes a village – even if that is a village of Spies. The NSA got help from Denmark in spying on top politicians and other high ranking officials in Germany, Sweden, Norway and France. They did this by asking the Danes to let them tap into an underwater fiber optic cable in 2012. Targets include Angela Merkel. Generally, politicians cyber hygiene habits are really poor, so the NSA probably found a lot of unencrypted data. Credit: The Hacker News

Watch Your Words When Discussing Breaches

If your company is in the unfortunate situation of dealing with a cyber breach, the lawyers say watch what you say in emails or Slack or similar channels because it can come back to bite the company later. If you say to a coworker “oh, yeah, we knew about that bug for months” and the bug wasn’t fixed and that contributed to the breach, well, you can see, that could be a problem for the company. Obviously, it goes without saying that social media is definitely off limits for that kind of conversation. Unless, you don’t like your job or the company. Read details in SC Magazine.

ARIN Plans to Take Down Part of the Internet – This is Just a Test

ARIN, the American Internet IP authority, plans to take down the RPKI infrastructure some time in July, without notice, just to see what breaks. In theory, if RPKI is implemented correctly, the fact that this goes down should be a big yawn. We shall see. Credit: Bleeping Computer

FBI and DoJ to Treat Ransomware Like Terrorism

Since ransomware *IS* terrorism, it is nice to hear that the DoJ is going to treat it as such. Unlike the last administration, this time the FBI took direct aim at Russia as the culprit in a lot of the ransomware attacks. The US Attorney’s offices in every state have been directed to investigate ransomware attacks the same way that they treat other forms of terrorism. While they don’t have the resources to investigate every ransomware attack, any big attack or one that hits a critical industry will be handled just like a terrorist bombing. While this won’t fix the problem, more attention is good. Credit: ZDNet

Security News for the Week Ending April 9, 2021

Ubiquiti All But Confirms Breach Story

As the stories about Ubiquiti’s really bad attempts to save their reputation after a breach earlier this year swirled, they were completely silent, other than a very short statement. Now they have posted a statement on their user forum that says that they have no evidence that customer information was accessed or even targeted. They do not say anything at all to refute the claims that were made that the reason they have no evidence is, well, because there were no log files being created. If you use a cloud provider, I recommend reading this story because it points out the joint responsibility you have. In this case, it is alleged that Ubiquiti’s bad cyber hygiene practices put their customers’ networks at risk. Credit: Brian Krebs

Is This a Breach: Terabytes of OnlyFans Data Leaked Online?

OnlyFans is an online platform for content creators to share content for a monthly subscription fee. The content creators are typically so-called social influencers and adult performers (OK, no jokes, these two are not the same, although there certainly is some overlap). There is content from almost 300 creators/performers and at least of the folders is over 10 gigabytes, so it looks like maybe, in total, a couple of terabytes of content. Google will only take down files if the performer identifies a specific file and says that I own the copyright to it. A bit of a mess, but they say they were not hacked. Credit: Bleeping Computer

Police Say White Supremacists and Conspiracy Theorists Target Cell Towers

The New York Police Department says that cell towers and other critical infrastructure have become an attractive target for conspiracy theorists, especially after the recent election. The Police Department says that conspiracy theorists and far-right white supremacist groups increasingly target critical infrastructure to incite fear, disrupt essential services, and cause economic damage with the United States and abroad. Sounds like the definition of a terrorist to me. Right now we are seeing isolated damage, but it is costing tens of thousands of dollars per incident – that you get to pay to repair and also causing service outages. Remember, for the most part, the only thing between a terrorist and critical infrastructure is a chain link fence and a padlock. The most recent case of that was the terrorist in Nashville that blew up a telephone company office and cost tens of millions of dollars of damage. That is the most that is in their way. Credit: The New York Times via the Intercept.https://theintercept.com/2021/03/17/5g-white-supremacists-conspiracy-theorists-critical-infrastructure/

LG Promises 3 Years of Security Updates After Pulling Out of Phone Biz

South Korean phone maker LG, always an also-ran in the phone biz, called it quits this week. However, they plan to provide both version and security updates for up to three years, depending on the model. The updates are based on when you bought the phone, not when the model was originally released, so this is actually good news for LG phone owners. Credit: The Record

Ex-GCHQ Staff Recommends Banning Ransomware Payments to Kill Off Ransomware

Several ex-GCHQ Staffer (like our NSA) suggest a law banning insurance paying ransoms to kill off the ransomware market. That would probably have some positive effect on it, but it is unlikely to actually kill it off. The other half of that law, however, needs to make the government pay the difference in cost between paying the ransom and not paying the ransom. For example, if the ransom demand is $250k and to rebuild the computers, restore what data you have and replace the lost business for the data that you don’t have will cost you $2 million, the gov needs to fork up the other $1.75 million. While I am not a fan of paying ransoms, this is not the right solution. What we have started to see, but need to see more of, is insurance companies declining to provide coverage to companies with inadequate security. This does not require any laws and will make companies deal with the externalities (this is the insurance company’s problem, not mine). Credit: The Register

Why The Microsoft Exchange Email Hack is So Bad

The media continues to report on the Microsoft Exchange hack, likely perpetrated by China. Reports are that at least 30,000 Exchange servers in the United States are impacted and some people say that number is likely way underestimated. On top of that, the number of servers worldwide is maybe ten times that number.

Given all the media attention, you would think that everyone would, at least, install the patches. It appears that AT LEAST 46,000 servers are not patched, according to The Record.

So why is this a big deal? First, the attackers could read any email on those servers. Whatever that might contain. One organization affected was the European Banking Authority. They say that no data was accessed. Sure, we believe them.

Second, the attackers, in many cases, left behind a present called a web shell. It is a way for the attackers to get back in to the server later. Many of our IT partners decided the only way to make sure that the hackers are really out is by rebuilding the servers from bare metal, not a simple task, especially if you have to do that to tens of thousands of servers.

So lets look at the timeline involved. We are getting more details every day and this timeline is interesting. This timeline comes from Brian Krebs, who Chris Krebs, former head of DHS CISA called his brother from another brother (i.e. they are not related).

Security testing firm Devcore says they alerted Microsoft on January 5 – two months ago.

On January 6th, Veloxity spots attacks that use unknown Exchange bugs

On January 8th, Devcore told Microsoft that they had been able to reproduce the bug.

On January 27th Dubex tells microsoft about new attacks on Exchange servers.

On January 29th, Trend Micro reports in their blog about these web shells infecting Exchange servers, but incorrectly says this was allowed by a bug patched last year.

In February, Microsoft tells the folks who reported the bug that they had escalated the problem and that they had a target release date of March’s patch Tuesday, March 9th.

By the end of February, the cat is out of the bag (it is hard to keep good news secret) and security folks are seeing global mass scans of Exchange servers looking for vulnerable systems.

This forces Microsoft’s hand and they released the patches a week before they planned to, now on March 2.

By March 3rd, tens of thousands of Exchange servers have been compromised. Once the patch is out, especially knowing that it is an emergency patch, hackers worldwide reverse engineer the patch, likely within hours of it being released.

By this time it is a national security emergency and everyone from CISA (who told government agencies that they had 48 hours to patch their servers or shut them down) to the White House to the National Security Advisors are sounding the alarm bell.

On March 5th, Chris Krebs, former head of DHS CISA says that the real number of compromised servers dwarfs the numbers being reported.

Needless to say, this is a big problem.

A couple of interesting footnotes.

Microsoft says that Office 365 was not compromised. Why? Don’t know. Possibly their server configuration is different. Possibly, since they knew about the bugs in early January, they were able to tweak their security before the word got out. I vote for number 2. Apparently at this point, now that we know how the attacks work, it is easy to block new attacks.

Second, Microsoft released patches for every supported version of Exchange. That means that the bug goes back, at least, to 2013.

But wait. Microsoft even patched an unsupported version of Exchange – Exchange 2010. That means that the bugs go back at least a decade. Possibly more.

Now here is the answer that we don’t have.

Were these bugs being quietly exploited for years? Remember if you do it quietly, you probably won’t get noticed.

If so, by whom?

China?

Russia?

Private hackers?

The NSA, CIA, Others?

Foreign intelligence agencies – friendly or not?

And if so, what have they stolen?

Likely we will never know the full extent of the attack, but between the SolarWinds hack and the Microsoft Exchange attack, one thing should be clear. We came to a gun fight with a spoon. And if we do not improve on our security efforts, we are going to continue to lose.

Right Wing Social Media Platform Gab.Com Hacked, Data Leaked

Last month, as Parler was being deplatformed by Amazon, it was hacked and many gigabytes of data were taken and later made public.

In what seems like a sequel, right wing free speech social media platform Gab.com was hacked and, again, data was stolen and later published.

It is reported that Gab is described as a haven for extremists including white supremacists, neo-Nazis, white nationalists, the alt-right and QAnon conspiracy theorists. If this is true, the data is probably of interest to a lot of people and may be “damaging” to the people who created it.

The site went down for a short period last week after saying there was an issue that only affected a few accounts.

When contacted by the media, Gab’s CEO said that there was no independent confirmation of the breach, which likely is true. That of course does not mean that they were not breached. He also said that they don’t collect much personal information. If what he means is that they don’t collect drivers license numbers, he is probably right, but if what he means is potentially embarrassing or criminal-charge-causing posts, well, then, he might be wrong.

The CEO did admit that the site was vulnerable to a SQL injection attack that they fixed last week (like maybe at the same time that they went off line????).

The 70 gigabytes of data that has been leaked (so far) includes public posts, private posts, user profiles, hashed passwords, direct messages and plaintext passwords for groups.

Could the data be used by law enforcement to see if there is a connection with the January 6th riots at the Capitol. Probably.

Compared to the Parler leak, this could be, potentially, much worse, since it claims to contain both private posts and direct messages.

We also don’t know if the 70 gig of data leaked is all that was stolen or just the first installment.

Bottom line, assuming that something that you post on a public social media platform will remain private is probably not a great bet. Credit: Hackread

Security News for the Week Ending February 26, 2021

DoD Working on CMMC-Fedramp ‘Reciprocity’ by Year End

CMMC, the DoD’s new cybersecurity standard is designed to measure security practices of companies and the servers in the computer rooms and data centers. But what about the stuff in the cloud. That is covered by another government standard called FedRAMP. But those two standards have different rules and contractors who have both need to figure out how to comply with two competing standards. DoD is working on this and plans to have a solution by September. One challenge is that FedRAMP allows for a ‘To-Do’ list – stuff we will fix when we get to it and CMMC does not. Harmonizing these two standards is critical for defense contractors. Credit: Defense Systems

The Risk of NSA’s Offensive Security Strategy

The NSA has, for decades, favored offensive security (hacking others) over defensive security (protecting us). The Obama administration created a process called the vulnerabilities equities process to try and rationalize keeping bugs secret to use against others vs. telling vendors so that they could fix them. Check Point research published a report talking about one failure where the Chinese figured out the bug we were using, one way or another and used it against us. That is the danger of offensive security. Read the details here. Credit: The Register

HINT: When Your Vendor Tells You it is Time to Upgrade – Listen

Airplane maker Bombardier is the latest entry into the club of companies who were compromised with Accellion’s decades old FTA file transfer system. What was likely stolen was intellectual property. Accellion has been trying to get customers off this decades old platform for 5 years. Now they say they are going to formally end-of-life the old software in April. 300 customers did not listen. At least 100 were compromised. Credit: ZDNet

Microsoft Asks Congress to Force Companies to Disclose Breaches

Microsoft’s president Brad Smith testified at a Senate Intelligence Committee hearing this week about the SolarWinds breach. Smith said that the private sectors should be legally obligated to disclose any major hacks. None of the other CEOs who testified argued with Smith. The details of who, how, when, etc. are note easy to figure out as is the penalty for breaking the law. I suspect that the overwhelming majority of breaches are never reported to anyone because there is no incentive to do so. Credit: The Register

DHS-CISA Reveals Authentication Bypass of Rockwell Factory Controllers

Rockwell industrial automation controllers used in places like factory floors can be compromised by a remote hacker if they can install some malware on the network. The bug has a severity score of 10 out of 10. The compromise would allow hackers to upload firmware of their choosing and download data from the controller. The bug was initially disclosed to Rockwell in 2019. Credit: Security Week