Category Archives: Hacks

Ransomware. Healthcare. 1 Old, 5 New.

The Hacking Group Dark Overlord hacked Athens Orthopedic 4 years ago and they are still dealing with the fallout, including paying a 1.5 million dollar fine to the feds.

The feds say that Athens management was not being good. In fact it was being naughty. HHS audited the doctors after the attack and found systematic non-compliance with HIPAA.

The hackers stole over 600,000 patient records. A journalist found some of their patient records on the dark web. Within a few days, the hackers contacted Athens demanding a ransom.

So this points out that ransomware 2.0 – the kind where hackers steal data, encrypt your systems and then hold both your systems and your data hostage – has been around for years. It is just becoming more popular now.

In addition to losing four years of their life and $1.5 million, the doctors now have to implement a corrective action plan (CAP). A CAP is HHS’s term for getting your security act together.

Oh, yes, the source of entry for the hackers? Credentials stolen from a third party. I guess the doctors will now implement a vendor cyber risk management program. A bit late, but better late than… Credit: Health IT Security

HHS also fined 4 other healthcare providers this year, fining them as much as a million dollars.

Fast forward to today.

This month hackers have posted the data of 5 different medical practices on the dark web in an effort to extort money. UCSF paid hackers over a million dollars just a couple of months ago.

So what are we seeing now?

Assured Imaging, University Hospital New Jersey, National Western Life, The College of Nurses of Ontario and Nonim Medical are all dealing with their data being hacked and posted on the dark web.

Assured Imaging is notifying 244,000 patients that their data may have been compromised. The hacker only had access to the data from May 15 to 17.

So what does all this tell us?

  • The hackers are using any available option, including third parties.
  • They do not need to have access for a long time to do a lot of damage.
  • Some health care providers are not following the HIPAA rules including getting annual third party risk assessments.
  • The companies that get hacked will be cleaning up the mess for years.
  • And will likely pay HHS a lot of money as well as getting to execute a CAP.
  • Finally, there will be lawsuits. There always are.

So I am going to leave you with just one thought and it doesn’t only apply to healthcare. Credit: Health IT Security

Do you feel lucky, punk?

I am sure that these organizations didn’t think they were going to get attacked. At least some of them were not taking security seriously enough.

Are you taking your company’s security seriously enough?

Security News for the Week Ending September 18, 2020

Is TikTok is Going to Sell to Oracle. Maybe

Well sale is not really the right word. They call it a “trusted tech partner”. This does not solve the national security problem, so it is not clear what problem this does solve. None the less, Steve Mnuchin will present it to the President. If it provides some sort of political benefit he may accept it even though it does nothing for national security. If it shuts down, there will be 10 million unhappy people, some of whom vote. Also, it doesn’t seem that this deal fulfills the President’s requirement that the Treasury get a lot of money. It seems like they won’t get any. Credit: The Verge

Updated information says that there will be a new corporate entity set up in the U.S. to give the President some cover that he is really improving security and that Oracle will have some sort of minority stake in this new entity, but China will still control all of the intellectual property. The President’s deadline is this Sunday. Will he really shut it down pissing off millions of Americans just before the election? Credit: The Verge

Even more updated: The Commerce Department says that a partial ban will go into effect Sunday. As of Sunday, U.S. companies can no longer distribute WeChat and TikTok, but users can continue to use the software. Also beginning Sunday, it will be illegal to host or transfer traffic associated with WeChat and the same for TikTok, but on November 12 (coincidentally, after the election). I assume that will mean that users who want to use those apps will have to VPN into other countries before using the apps. Not terribly convenient, but a way to keep the pressure up on China. Credit: CNN

Cerberus Banking Trojan Source Code Available for Free

The Russian security vendor Kaspersky (reminder: the U.S. has banned it from government systems) has announced the the Cerberus source code is now available for free. This means that any hacker with the skill to integrate it can make it part of their malware. Cerberus is a pretty nasty piece of work; it even has the ability to capture two factor codes sent via text message (one reason why I say that text message two factor is the least secure method). This means that banks and people that use banks (which is pretty much most of us) need to be on high alert when it comes to our financial account security. Credit: ZDNet

Denial of Service Attacks up 151% in First Half of 2020

Denial of service attacks are a brute force attack that aims to hurt a business by stopping a company’s customers from getting access to the company’s (typically) web site. For example, if you are an online business and customers and potential customers cannot get to your web site, they will likely go to another vendor. What is now amazingly called a small attack (less than 5 gigabytes of garbage thrown at your web site per second) are up 200% over last year. Very large attacks (100 gigabytes per second or more) are up 275%, according to Cambridge University.

If you are not prepared to deal with an attack and need help, please contact us. Credit: Dark Reading

Ransomware at German Hospital Results in 1 Death

This could have wound up much worse when hackers compromised Duesseldorf University Hospital. The hospital put itself on life support and ambulances were diverted to other hospitals. While police communicated with the hackers and told them they hacked a hospital, an ambulance was diverted and the patient died. Prosecutors, if they can find the miscreants, may charge them with negligent homicide. The hackers did withdraw the ransom demand and forked up the decryption key, but not before this patient lost his or her life. Credit: Bleeping Computer

Security News for the Week Ending September 11, 2020

Pioneer Kitten Sells Compromised Corporate Credentials

Pioneer Kitten, an Advanced Persistent Threat group backed by Iran, is compromising corporate systems and then selling those credentials to the highest bidder. Like all large organizations, they want to diversify from just ransomware and stealing credit cards. Now they have a new and apparently very lucrative revenue stream. Credit: Threat Post

Ireland Unfriends Facebook

In the aftermath of the Schrems II decision, Ireland has told Facebook to stop sharing data from the EU to the US. Of course Zucky says that they have a right to do that using standard contract clauses (and they could possibly be right), but there will be a fight. Stay tuned. Credit: The Register

Pentagon has a New Way to Protect Their Browsing

In case you thought I was going to diss DISA, the Pentagon’s IT department, nope, not this time. Actually, I really like what they are doing and hope some enterprising company offers it as a service.

The Pentagon plans to roll it out to 1.5 million users in the first year. What they are doing is instead of opening a browser on your computer, you open a window to a browser in the cloud from your computer. You then surf in that sandbox, containing any explosive debris from malware. When you drop the connection, the sandbox goes away, along with any malware. In addition, since these sandboxes live in the data center, the amount of data bandwidth required at the user’s location goes down dramatically. It is a brilliant idea. Credit: Government Computer News

After Microsoft Outs Russian Election Hacking White House Sanctions 4 Russians

The same day that Microsoft published details of Russians who are trying to hack the 2020 US Elections, the White House added 4 Russians to the Treasury’s equivalent of the do not fly list called OFAC. This is also after the whistleblower at DHS came out saying he was told by the head of DHS not to say anything about Russian hacking. Maybe the three events are not related. Maybe the Republican administration was forced to do something to look like it was being tough on Russia. The hacking includes publishing fake news designed to spark false corruption investigations in an effort to affect the election outcome. Other Russians stole US citizens’ identities to open fake bank and cryptocurrency exchange accounts. Microsoft said that it detected attacks targeting both the Biden and Trump campaigns. The Russians also used traditional attacks like phishing and brute force password attacks. Credit: Dark Reading

Army Cyber Command Moves to Fort Gordon

While the move of Cybercom to Fort Gordon in and of itself may not be exciting, it may be an indication of how serious the Army is taking cyber. The Army built a new 336,000 SF building for them, consolidating folks who were at Forts Belvoire and Meade. More importantly, consider who else is at Gordon. This move puts Cybercom at the same garrison as the Army Cyber Center of Excellence, Army Cyber Corps and Army Signal Corps. It also houses Homeland Security training, Naval Information Ops Command and Joint Strategic Intelligence Command, among others. Putting all these cyber and information folks within walking distance has to allow them to better coordinate and cooperate. Credit: Security Week

Cisco Learned About the Insider Threat Problem – the Hard Way

I talk a lot about the insider threat problem because it is prevalent and hard to stop.

Cisco learned about that the hard way.

Sudhish Kasaba Ramesh resigned from Cisco in April 2018. OK, good, time to move on.

FIVE MONTHS LATER, he accessed Cisco’s infrastructure at Amazon and deployed code that shut down 16,000 Webex accounts and deleted 456 virtual machines. He did this via Google’s cloud infrastructure.

Cisco spent over $2,000,000 in customer refunds and labor to fix the problem. While $2 million is a lot to you and me, it is merely embarrassing to Cisco.

Some customers were down for several weeks as a result of the attack.

Sudhish pleaded guilty and was released on bond. He is scheduled to be sentenced in December. He faces a maximum of 5 years in the slammer and a $250,000 fine. Since he is here on one of those visas that companies like Cisco use to give American jobs to foreigners to save money, he could also be deported (in case you wondered where I stand on those visa programs, that should be clear 🙂 ).

In this case, the former employee could have likely done a lot more damage than he did. He was, for whatever reason, upset with Cisco and decided to take it out on them. What if, instead deleting 456 virtual machines, he deleted 10,000 VMs or 50,000 VMs. Or instead of deleting 16,000 accounts he deleted 16,000,000 accounts. He was merely toying with Cisco.

On the other hand, how come he was able to login at all?

And why did it take Cisco two weeks to recover? What happened to their disaster recovery solution?

This does point out that it is hard to secure your infrastructure when an I.T. person leaves if you have not designed your security to take that into consideration.

I am sure (I hope) that Cisco has improved both their security and their disaster recovery since then.

But could could a disgruntled ex-employee do this to you? I am sure Cisco didn’t think so. Credit: Bleeping Computer

Security News for the Week Ending August 28, 2020

Ransomware is an Equal Opportunity Business

As American businesses deal with ever increasing ransomware attacks, larger ransom demands and ransom and extortion wrapped up together, we are not alone. Not that the fact that we are not alone should make us feel better. A new Iranian hacker group is using Dharma ransomware to go after businesses in Russia, Japan, China and India. According to the researchers who discovered this, the hackers aren’t apparently quite sure what to do once they get in. Credit: Group-IB

New Zealand Stock Exchange Attacked

The New Zealand stock exchange was down for the third time in two attacks after hackers attacked with with a volumetric attack (I think that is a fancy word for big). Basically, they crushed the exchange’s servers with a lot of useless data. You have to assume that a stock exchange has a lot of security in place and has certainly considered that someone might want to use it to make a point, so the fact that they went down three times and then halted trading says that (a) they made their point and (b) the exchange’s preparations were not sufficient. Do you care if your online systems are taken down by hackers? Are you prepared in case they try? Credit: News.com

Insider Threat Is a Real Problem

A Russian national inside the U.S. offered to pay an employee of an unnamed company $500,000 to plant malware in the company’s network. When the employee didn’t go for the plan, the Russian upped the offer to a million dollars. The Russian told him that the company would pay millions to not have their data posted on the web. The employee, instead, went to the FBI and the Russian national is now in custody. Credit: Security Week

UPDATE: It turns out the unidentified company is Tesla.

Homeland Security Releases 5G Strategy

Homeland Security’s CISA released a strategy document for the migration of the country to 5G. While those trying to sell 5G gear are pretending that the country is ready for 5G, the reality is that 5G that lives up to the 5G hype is years away except for small pockets.

The strategy document calls for 5G policy and standards emphasizing security and resilience, expanding awareness of 5G supply chain risk (code for beware of HUAWEI and China), encourage other companies to get into the 5G game and identifying risk based on potential 5G uses.

All of this is good, but unless this is more than a press release, it will not make any difference. Credit: SC Magazine

Security News for the Week Ending August 21, 2020

August 13th, a Day That Will Live in Confusion

August 13th is the day that Part B of Section 889 of the 2019 National Defense Authorization Act went into effect. It bans the use of equipment and services tied to certain Chinese companies that have been deemed security threats by the United States. Companies that have this equipment won’t be able to sell to the federal government without a waiver. Contractors have 24 hours to report if they discover, after August 13th, that they are breaking the law. But contractors are allowed to self certify. While the ban went into effect on August 13th, the GSA training session for contractors has been delayed until mid-September – because they weren’t ready to coherently explain the rules. Ellen Lord, chief of the Pentagon’s acquisition branch asks contractors to take notes on how this is screwing up their business so that, maybe, they can get Congress to change the law. By the way, this is not a contract flow down clause, so primes are responsible for what their subs do, I guess. Sorry contractors. Credit: Federal Computer Weekly

Senators Say WikiLeaks Likely Knew He Was Helping Russia

The US Senate Select Committee on Intelligence says, in a report, that Vladimir Putin personally ordered the hacking of the DNC and WikiLeaks likely knew that it was helping Russia. The Senate report says WikiLeaks received internal DNC memos FROM Russian hackers. Senators wrote that Trump’s campaign staff sought advance notice of WikiLeaks releases. Paul Manafort is named as the person who was the link between the campaign and Russia. It seems odd that this Republican controlled committee would release this report days before the Republican National Convention’s nomination of Trump for President. Credit: The Register

Hide Your Breach – Go to Jail

The Feds have charged Uber’s Chief Security Officer with hiding information about the breaches they had in 2014 and 2016 and about payments they made to the hackers to keep the breach quiet. He is being charged with obstruction of justice and misprision of a felony (i.e. hiding it). He faces up to 8 years in prison if convicted. Credit: DoJ

Ever Wonder What Happens to All That Location Data that Apps Collect?

Well, the answer to that is, it depends. This week we found out one thing that happens to that data. The U.S. Secret Service buys it and uses it instead of having to get a warrant to get that same information from the phone company. Nothing illegal about it. Obviously, the Secret Service is not using it to market any products. Curiously, the company that they bought it from does not advertise that they sell your data to the police. In fact, their agreement, similar to the agreement that Stingray’s provider makes the police sign, says that they are forbidden from mentioning it in legal proceedings at all. When this has been an issue with Stingray’s the police have dropped charges rather than break the agreement. Credit: Hackread

Securus Sued For Recording Attorney-Client Jail Calls and Providing to Police

Securus provides pay phone services in prisons at what most people say are exorbitant prices. Sometimes they charge 100 times the going price outside. According to theory (and law), Securus is not supposed to listen to or record phone calls between inmates and their lawyers. The only reason they were caught was that a detective was listening to recordings provided to him by Securus and recognized the attorney’s voice. He then reported Securus to the Attorney General. The attorney who was illegally recorded is now suing Securus. The interesting thing is that Securus just settled a similar case in another state. You would think they would learn. Credit: The Register