Tag Archives: Iran

Security News for the Week Ending January 10, 2020

Albany Int’l Airport Hit By Ransomware via MSP

In what is becoming an all too common story, the Managed Service Provider that supported Albany, NY’s airport, Logical Net of Schenectady, NY, was hacked and from there, the hackers were able to connect to the airports administrative network and infect it with REvil ransomware, the same ransomware that hit Travelex (see below).  I say supported because after the airport paid the under 6 figure ransom (? $99,000), they fired the MSP.  The ransomware encrypted the airport’s backups in addition to the live data.  Given that we are hearing about these attacks against outsourced service providers almost weekly, customers need to start putting pressure on these providers to improve their security.  Source: Bleeping Computer

Cyber Attack Events From Iran Nearly Tripled

Soon after the attack that killed General Soleimani, attacks originating from Iran were up 50% and grew from there.  Cloudflare says that for their little piece of the world Internet, there were a half billion attack attempts in a 48 hour period.  Source: MSN

Info on 56 Million U.S. Residents Sits Exposed – On a Server in China

This does not appear to be a hack.  22 gigabytes of data on 56 million U.S. residents is sitting exposed on a server in China.  The data appears to belong to CheckPeople.com, one of those for a fee information sites;  It is hosted on a web farm run by the Chinese giant Alibaba.  While this data is not super valuable, it could be useful for any number of foreign adversaries because of the volume and that whoever created it did all of the work of aggregating and organizing it.  Did CheckPeople license it to the Chinese? Or did the Chinese steal it?  Or does CheckPeople use servers in China?   If so, that is something we should stop.  Source: The Register

Travelex Woes Continues

NOTE: I am providing a bit of a blow by blow of the Travelex attack because it is a useful learning lesson for everyone on what to do, what not to do and how to communicate about it.  We usually don’t get as much direct information about these attacks are as are seeing here, even though most of the information is NOT coming from Travelex.

 

This has got to be one of the worst incident response examples I have seen since, say Equifax.  Really, really bad and getting worse by the day. They said this won’t have a material effect on their business, but that is hard to believe.

FRIDAY January 10, 2020

As of Friday night, Travelex’s website is still down.

Given the size of the organization, it is surprising that 10 days into the ransomware attack, the company is still offline.

According to Bleeping Computer, the hackers originally demanded $3 million not to sell Travelex’s data but have now upped the number to $6 million.

While Travelex’s public position is that no “structured” personal data has been  stolen, the hackers say that Travelex is negotiating a price with them.

Hackers behind the REvil ransomware say, on a Russian hacker forum, that if Travelex does not pay the ransom, they will sell the data on the black market.

As we watch this dumpster fire of an attack from a distance, one of the many lessons to learn is about alternate providers.  Travelex provides services to a number of banks such as Barklays, Lloyds and Westpac.  Those banks have had to shut down currency services to their customers.

As part of your disaster recovery and business continuity plan, you need to consider the impact on YOUR business not only if you are hit by a ransomware attack but what if one of your key providers is taken offline for a week or two or more from an attack.

In this case, the banks have had to refund customer orders and customers have gone to competing banks for their currency needs, possibly never coming back.

THURSDAY January 9, 2020

The NY Times is reporting that the hackers claim to have uploaded 5 gigabytes of “sensitive customer information” and have been in Travelex for 6 months.  They say that if Travelex doesn’t pay them $6 million by January 14th, they will publish the data (AKA Ransomware 2.0).  Their web site is still down. Banks like Barclays and Royal Bank of Scotland that use Travelex as their foreign currency provider are also still down.

WEDNESDAY January 8, 2020

Travelex finally admitted they were hit by the REvil ransomware.  London’s Met (Metropolitan Police) said that their elite cyber team was not contacted until January 2, 3 days after the attack.

They are also saying that there is no EVIDENCE that STRUCTURED personal customer data has been encrypted.  I am not quite sure how to read between those lines.

They also say that, 9 days into the attack, they still don’t have a complete picture of all the data that was encrypted.

Their web site is still down, although there is a new press release on it, updated from the old one.

Finally, they say that they don’t currently anticipate any material financial impact from the breach.  (British Airways was fined $230 million for their breach – not counting lawsuits, remediation, etc.  Not sure what they are thinking).

TUESDAY January 7, 2020

The Travelex web site still shows the message that says they were hit by malware with no explanation and no expected up time.

MONDAY, January 6, 2020

I wrote in Last weekend’s newsletter that Travelex, who had an IT incident (likely ransomware, but unconfirmed), seemed to have recovered by last Sunday night.  At least their web site was back up.  It turns out that I spoke too soon and as of Monday, their website is still/again down.

Still being tight-lipped about things, information is leaking out around the edges – something that businesses would be well advised to understand.   They cannot keep these things under wraps.

What we do know is that booths at airports are still operating, although they are doing it with a pen and a pocket calculator.

Travelex says that they don’t know when things will be back online.  I assume this means that people who took Travelex’s advice and put their money in a Travelex cash card still do not have access to their money.  This is the perfect stuff for lawsuits – actual harm.

The Register is reporting that Travelex had/has public facing Windows servers with Remote Desktop Protocol (RDP) enabled with no network authentication.  This is kind of like playing Russian Roulette with 5 live bullets – not recommended.

The servers are running Windows Server 2008 R2, which will be officially unsupported on January 15th – just a few days from now.  The servers are also running .Net 4.0.30319, which is also “rather old”.

I am sure that regulators on both sides of the Atlantic will be asking some uncomfortable questions.  This may also be a GDPR violation.

Stay tuned for details.  Source: The Register

Computer Weekly says the attack is ransomware, specifically the REvil Ransomware and the bad guys are asking $3 million for the decryption key.   They are also saying that Travelex waited 8 months to patch a critical flaw in Pulse VPN servers. Source: Computer Weekly.

Facebooktwitterredditlinkedinmailby feather

DHS Issues Emergency Directive 19-01 (DNS)

Homeland Security’s newly named agency – the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to executive branch agencies – many of which have personnel on furlough – regarding a DNS hijacking issue.

The issue is not limited to agencies and every company and private individual that owns one or more Internet domains should take immediate action.

CERT’s alert is based, in part, on FireEye’s report issued last week of a coordinated campaign run by state sponsored hackers, possibly out of Iran, to hijack agency, business and consumer Internet domain names.

Using very traditional phishing techniques, the attackers steal credentials to log in to the user’s account at domain registrars around the world.  Once they have access to the user’s domain administration pages, they can redirect web site visitors and email to their servers, using this to steal credentials from web site visitors and email recipients.

The hackers redirect the users to the legitimate web site after stealing their credentials.

DHS is giving agencies, many of which have very limited staff due to the shutdown, 10 business days to complete an action plan.

There are no consequences if the agency blows off DHS, which many do on normal day.  Under the current circumstances, likely even more with do so.  This means, of course, that you should consider any government server suspect, especially if it asks you for a userid and password.

DHS is admitting to at least 6 agencies who have had their DNS records hijacked.  Likely there are more;  some of whom do not know that they have been hijacked for a variety of reasons.

If you are not a government agency (or even if you are), here are some things that you should do:

  • Implement multi-factor authentication on any domain registrar accounts that can control DNS or web site settings.  Examples of big domain registrars are Go DaddyWixHostgator1&1 IONOS, Network Solutions and others.
  • Verify that existing DNS records for domains and sub-domains have not been altered for any resources. 
  • Search for SSL/TLS certificates which may have been issued by registrars but not requested by an authorized person.  These certificates would allow an attacker to masquerade as a legitimate version of the web site and steal visitor’s credentials or install malware on visitor’s computers and phones.
  • Conduct an investigation to assess if attackers gained access to your environment.
  • Validate the source IPs in OWA/Exchange logs.

 

Information for this post came from ZDNet and the US Computer Emergency Response Team at Carnegie Mellon.

Facebooktwitterredditlinkedinmailby feather

Iran (?) Attacks Saudi Central Bank and Other Saudi Agencies

Starting in mid November, someone, possibly Iran, wiped many computers at a number of Saudi government agencies, including the Saudi Civil Aviation Agency .  A total of 6 agencies were attacked; 4 were compromised; 2 agencies repelled the attack.

The attack was made to look identical to an attack attributed to Iran in 2012 where tens of thousands of computers at the Saudi Aramco oil company were destroyed.

How “destroyed” is also unclear.  In the case of the Aramco attack, the oil company chose to be ultra cautious and replaced the disk drives in those 35,000 computers, causing a spike on the global market for disk drives.  We don’t know what they plan to do regarding this attack or how many computers were affected.

This is kind of similar to the attack on Sony, attributed to North Korea and the less successful attack 6 months before Sony on Sheldon Adelson’s Sands Hotel chain.

Since the Aramco attack is pretty public, someone wanting to cast a shadow of guilt on Iran (such as the CIA, KGB or Mossad) could have certainly planted the malware to stir up trouble.  We just don’t know.

For the soon-to-be-president Trump, this could get messy.  If he decides that it was Iran and that the U.S. needs to retaliate (big IF), then this escalates things.  It is pretty clear that the Iranians and their allies could certainly attack U.S. infrastructure – whether it is the San Francisco Metro or Gorilla Glue, if all they want to do is cause mischief, there are certainly plenty of soft targets.  If they want to get ugly, they could try for a critical infrastructure attack like the Russians did in Ukraine last year.  That could really get ugly.

The Saudis have not released much information about the attack; likely more will leak out over time, but how much and when is unknown.

Was it the Iranians?  Were they testing Trump?  Who knows, but get some buttered popcorn and stay tuned for the show.

Information for this post came from Bloomberg.

 

[TAG:Breach]

Facebooktwitterredditlinkedinmailby feather

Duqu2 Malware Trail – From Kaspersky Labs to Iranian Nuclear Talks

Gene Kaspersky, head of the Russian anti-malware vendor and security research labs reported yesterday that the malware that infected his labs last year was also found … drum roll … at the hotels for the delegates to the Iranian nuclear talks (see article).

Gene Kaspersky
Gene Kaspersky, head of Kaspersky Labs

Kaspersky reported yesterday (see article) that their lab was the victim of a sophisticated attack that they detected in the early spring.  They said that the attack used three different zero day (previously unknown) vulnerabilities.

This malware, that they labelled Duqu2, does not write to disk, so anti-malware software that scans the disk cannot detect it.

The earlier version of Duqu used a bug in Microsoft Word.  This version uses a bug in the Microsoft Installer.

Gene said that while the attackers did get some material off their systems, they were detected early and they are confident that they removed the malware and that their customers are safe.

Fast forward to yesterday.  In the report, Kaspersky says that after they found this malware, they decided to do a little “spying” of their own to see where else this malware might be.

Given that their anti-malware software is loaded on tens of millions of computers, all they need to do is add a test for this particular malware and have the software tell them if it found it.

After scanning millions of computers, including thousands of hotels, they found it – on three luxury hotels in Europe.  What these hotels have in common is that each had hosted negotiations between Iran and the rest of the world over nuclear issues.

Hmmm.  Who might have an interest in that?  Russia?  United States?  Israel?  Kaspersky is not naming names – he doesn’t do that – but there are hints that he thinks it is Israel.  While Israel denies spying on the U.S. and other allies (except for those times where they got caught at it), they don’t deny that they spy on Iran.  However, they responded with a ‘no comment’ type of response when asked if this bug was theirs.  Assuming it was, there goes some valuable intel.

So what does Duqu2 do?  It is composed of 100 distinct modules that do different things.  One, for example, compresses video feeds – like you might get from a CCTV security camera.  Other modules targeted communications from phones to WiFi.  Another allowed them to eavesdrop on microphones in elevators, alarm systems and computers.

The FBI is reviewing Kaspersky’s report and said while they have not confirmed the report, it doesn’t surprise them that someone would attempt to attack those hotels.

U.S. officials said “We’re trying to keep as much security as we can, but nothing ever stays completely secret in this world we live in these days,”.   The British, German and French said ‘no comment’.

In today’s world, with as high stakes as these negotiations are, this is not much of a surprise.

Kaspersky says that the attack on them likely started when an employee in a satellite office in Asia clicked on an attachment and loaded the malware.  No doubt, they are running some anti-malware software 🙂 , so they detected the outbreak pretty quickly.

Pretty amazing stuff.

 

Facebooktwitterredditlinkedinmailby feather