Category Archives: Hacks

Security News for the Week Ending June 17, 2022

Ransomware Morphs Again

We know that ransomware has gone through a lot of iterations over the last couple of years as hackers try to maximize their revenue. The BlackCat group is now creating public websites for each victim company and has indexed the data to make it easy to search. I guess this means that it will be harder for companies that get hacked to hide what data was stolen. In one of their sites, you can select between employee data and customer data as the first filter and then search on that subset. Credit: Brian Krebs

NSA Quietly Appoints General Counsel After Two Years

You may remember that in the final, sort of weird, final days of the last President’s administration, the ex-President attempted to force the NSA to accept an unqualified political hack in the role of GC – a person who had not even worked inside the intelligence community, a process known as burrowing. Burrowing converts a political appointee into a career civil servant. Gen. Nakasone was ordered, on the last day of the ex-President’s administration to swear the guy in. That same day, the General put the new GC on administrative leave pending an inquiry about some security incidents. After several months in limbo, he resigned. He now is a lawyer at Rumble, a business partner of Truth Social. See a pattern? Anyway, April Falcon Doss, who seems to have impressive legal creds, was finally, quietly, sworn in as GC last month. Credit: The Record

Cyberattack – One and Done? Nope; Not Likely

According to research by Cymulate, 39% of companies were hit by cybercrime over the last year. Of those, TWO THIRDS were hit more than once. Also, of those who were hacked once, 10% were hacked ten times. That doesn’t give me a lot of warm fuzzies. Credit: ZDNet

Joshua Schulte, Former CIA Coder, Represents Himself in Second Espionage Trial

Joshua Schulte, is a former software engineer who worked for the CIA. He is accused of the largest, most damaging leak the CIA ever had. In his first trial, the jury hung on espionage charges. Now the second trial is beginning and he is representing himself. I recall a saying about a lawyer who represents himself has a fool for a client. Even though he is not a lawyer, the saying applies. He says he was framed. Prosecutors say he is guilty. Stay tuned for details. Credit: Security Week

Indian Police Planted False Evidence on Activist’s Computers to Arrest Them

Police in India were caught using hacking tools to plant evidence on people’s computers and then arresting them for the staged crime. The people being cyber attacked are not terrorists, but rather journalists and activists – in other words, people who annoy the police. With the help of SentinelOne, the hacking-by-police incidents have been publicly exposed. Credit: Wired

Which Style of Hacker is More Dangerous?

Ransomware hackers are like the smash and grab style of burglar. They don’t care who knows that they are here or what they are doing. Their techniques become quickly known and have to continuously evolve. They sometimes make a quick payday.

Option two is a stealthy hacker who attempts to sneak in undetected, remain inside undetected and slowly trickle out proprietary data for years, undetected.

The FBI says that business email compromise attacks cost victims about $2 billion in 2020. add to that the other categories that the FBI tracks, like romance scams, and you are up to about $3 billion a year. Source: Statista

On the other hand, the Commission on the Theft of American Intellectual Property estimates that China’s IP theft (just China) costs the U.S. between $225 billion and $600 billion each year. Source: CNBC

Which do you think is a bigger problem? $3 billion or $600 billion? Seems pretty obvious.

Researchers have discovered a stealthy espionage group that they are calling Aoqin Dragon that has been conducting espionage since 2013. They use a variety of techniques to infect the targets, in industries such as government, education and telecommunications.

The researchers believe this is a small, Chinese speaking team that continues to operate today and which continues to operate today as it enhances the back doors that it has created.

They think the group used Office bugs in the time period 2012-2015. Since 2018 the group has used a fake removable USB device shortcut as the initial point of infection.

The malware even has built in redundancy – it bundles three different command and control servers.

The fact that it took 9 years to even know that they exist is an indicator of their skill.

Would you even know if they were inside your network?

Credit: ZDNet

Security News for the Week Ending June 10, 2022

Anonymous Seems to be doing Better Against Russia than Past Efforts

Anonymous, the hacking collective, historically has made claims about how effective they are that have not panned out. However, against Russia, they seem to be pretty effective. Whether that means that they are more focused now or instead, that Russia’s defenses are not very good, I don’t know. This week they have leaked a terabyte of data from Russian law firm RKPLaw. This comes just days after they leaked hundreds of gigabytes of data from Russia’s largest media holdings, Vyberi Radio. Note that they are not holding the data hostage; this is about hurting Russia. Credit: Hackread

FTC Regulates by Blog Post

The FTC recently posted a notice on their blog that companies who do not report breaches appropriately – timely, not fully truthful, etc. – are subject to being prosecuted under Section 5 of the FTC Act. This has historically been used to go after fraud. In fact, section 5 covers fraudulent and deceptive practices. So, now you another regulator who may come after you if you attempt to cover up a breach, like Uber did, and the FTC feels your actions could, possibly, harm consumers. Credit: Ballard Spahr

New Jersey School District Cancelled Finals after Ransomware Attack

Here is the downside of the cloud. Tenafly Public Schools in Bergen county cancelled finals as the attempt to wrestle a ransomware attack to the ground. The have called in experts to help them, but all of that takes time. The school district uses Google Classroom and other cloud based systems, all of which went offline as a result of shutting down the district’s networks and servers. The district has not said what they plan to do about graduating seniors. Credit: The Record

8 zero-day Vulnerabilities Patched in Carrier’s Industrial Control System

Eight zero-day vulnerabilities affecting a popular industrial control provided by Carrier have been identified and patched, according to security researchers from Trellix who discovered the issues. Carrier argues these are not true zero-days because they are not actively being exploited, but now that they are public, that will change. These Carrier LenelS2 control systems are used by a wide range of industries from education to the federal government. Many will likely never be patched, much to hackers’ delight. Some of the bugs would give hackers root system access. Credit: The Record

DoJ Announces Plan to Improve Cybersecurity – In Line With the Requirements of the EO on Cybersecurity and after being Hacked Multiple Times

I’d like to give them credit for doing this, but the reality is that their current cybersecurity is not up to par and they are just doing what is required of them under the EO on cybersecurity. At least they are doing something. Credit: Daily Swig

Fake Updates Are a Real Risk

There are lots of types of threats to your digital universe. Ransomware. Malicious emails. Infected text messages and many others.

But here is one that we have not talked much about, but which has been a real problem and is becoming more of a problem and that is fake updates.

We have talked before about logging on to a hotel network (which is infected) or a fake hotspot at your favorite coffee shop (which hotspot doesn’t even belong to the coffee shop) and getting a message that you have an update. Hopefully you don’t fall for those.

But the hackers are getting better. The most recent incarnation is the Vidar malware. It impersonates a Windows 11 download portal. It also shows up in many different incarnations.

Vidar is a kind of info-stealing malware that may be utilized to monitor users. This malicious software can steal login credentials, take screenshots, bank details, etc. Besides general info stealing, Vidar was also discovered downloading and executing additional malware payloads. Moreover, the malware deletes itself from the system after completing its work.

The challenge is how to detect this malicious software masquerading as an update.

It takes a layered approach to win –

  • Make sure that ALL of your software is current – not just the operating system, but all of the applications too
  • Use a firewall. The Windows firewall is okay, but not great. A hardware firewall is much more reliable.
  • Use a VPN when you have to rely on an untrustworthy Internet connection
  • Stay away from those sketchy but enticing websites
  • Stay away from pirated software – they often have unannounced “benefits”
  • Run a really reliable anti-malware tool
  • Make good backups and keep them secure – offline
  • Last but not least – use a DNS filter. There are free and paid ones. DNS filters stop you from visiting known malicious websites. Also adult websites. The good ones are constantly updated, because the malicious website change on a minute by minute basis. One thing that is nice about DNS filters – they work no matter where your computer is or what operating system it is running.

It is a cat and mouse game, but with some work, you can be on the winning side.

If you need help or are looking for DNS filter software, contact us.

Credit: Hackread

Ransomware Continues to Morph

The FBI, CISA, Treasury and FinCEN put out a new alert about a hacking group with a different tactic. While this has been done in the past, it has not been done at scale.

The group, Karakurt, does not encrypt your data. Instead they just steal it.

What they do after that is give the hacked companies a week and if they don’t pay the ransom, they threaten to auction it or publish it. Their demands have ranged from $25,000 to $13,000,000.

To confirm that they have stolen the data, they provide screenshots or directory listings.

In addition to simplifying their business model by not encrypting the data and therefore, not having to write code to encrypt and decrypt or manage encryption keys, they also don’t hack web sites.

Instead, they just buy stolen credentials via a variety of techniques.

They also use intrusion broker networks who know things like who is running vulnerable Sonicwall firewalls or outdated Log4j libraries.

They also try to steal as much data as they can, as a result they are less stealthy than some players.

But then they keep the pressure up.

They send harassing emails to employees and business partners, making the hack as noisy as possible. This encourages the company that was hacked to pay up, just to make the noise go away. They even make threatening phone calls to employees, business partners and clients.

Needless to say, backups are a useless defense to this type of attack.

Credit: ZDNet and CISA

What Does Remote Bricking of Ukrainian Tractors Mean to US Farmers?

When Russian troops stole millions of dollars of John Deere farm equipment from an authorized Deere dealer, Agrotek-Invest, in Melitopol, Ukraine, they trailered them to Checknya, about 700 miles away.

What the Russians did not know is that (a) the equipment has a GPS in it, so Deere knew exactly where they took it and (b) it also has a cell phone in it, which allowed John Deere or the dealer to turn these millions of dollars of farm equipment into paperweights. Really big paperweights.

The Russians, of course, are trying to un-brick the equipment. People have been playing a cat and mouse game with digital rights management for decades.

What we don’t know is how badly did Deere brick the stuff. Was it just shutting it off or was it like wiping it clean as in there is no software inside the equipment any more. If I was Deere, I would have picked the second option. That is much harder to bypass. Probably impossible.

Could they even intentionally damaged the equipment. Likely possible.

But, if all they did was “shut it off”, then it is possible that Russian hackers could bypass it.

But enough about Russia’s woes.

These modern tractors measure torque on the wheels, soil density, humidity and even plot the location of the tractor on the farm to within a centimeter.

I suspect that the engineers at Deere are smart. But so are hackers.

Could hackers figure out how to log on to Deere Farm equipment and disable it?

I’m not talking about 27 tractors in Chechnya. What about, say, all of the Deere equipment at all farms in the United States?

Is this possible? Yes. Likely? Not until someone cracks Deere’s security code. I am sure that if you ask Deere, they would say their defenses are bullet proof. Even to say, a disgruntled insider?

Even the FBI and the Department of Agriculture recognize that this is a threat. They issued a warning bulletin back in 2016. Back then they were only worried about ransomware and stealing farming data.

Russia would like nothing more than to sabotage the American food supply and embarrass us. Oh, yes, and cause starvation right here in America.

At least some people say that Deere’s security practices are, shall we say, less than optimal. Hopefully someone has explained to Deere’s management that if what I suggested above were to happen, the lawsuit would put them out of business.

It is also possible that their software is so crappy that to do this on a large scale would be difficult to impossible. Even if it were not easy to shut down all farming in the U.S., what if Russia was just able to shut down all farming in Kansas? Or random farms across the U.S. What if they shut down one farm somewhere, every hour, randomly.

The problem is that the farmers are now dependent on this tech to run the big agri-business farms (probably not as much for family farms, but those are quickly disappearing), so they can’t shut it down. I certainly hope that the farm equipment industry (this is not a Deere problem, this is an industry wide problem) is thinking about this threat to their very existence. Modern cars, light trucks and heavy trucks are all also susceptible to this risk.

Let’s hope that Russian hackers are incompetent. Hope is a good strategy, right?

Credit: CSO Online