Tag Archives: ransomware

Security News for the Week Ending April 9, 2021

Ubiquiti All But Confirms Breach Story

As the stories about Ubiquiti’s really bad attempts to save their reputation after a breach earlier this year swirled, they were completely silent, other than a very short statement. Now they have posted a statement on their user forum that says that they have no evidence that customer information was accessed or even targeted. They do not say anything at all to refute the claims that were made that the reason they have no evidence is, well, because there were no log files being created. If you use a cloud provider, I recommend reading this story because it points out the joint responsibility you have. In this case, it is alleged that Ubiquiti’s bad cyber hygiene practices put their customers’ networks at risk. Credit: Brian Krebs

Is This a Breach: Terabytes of OnlyFans Data Leaked Online?

OnlyFans is an online platform for content creators to share content for a monthly subscription fee. The content creators are typically so-called social influencers and adult performers (OK, no jokes, these two are not the same, although there certainly is some overlap). There is content from almost 300 creators/performers and at least of the folders is over 10 gigabytes, so it looks like maybe, in total, a couple of terabytes of content. Google will only take down files if the performer identifies a specific file and says that I own the copyright to it. A bit of a mess, but they say they were not hacked. Credit: Bleeping Computer

Police Say White Supremacists and Conspiracy Theorists Target Cell Towers

The New York Police Department says that cell towers and other critical infrastructure have become an attractive target for conspiracy theorists, especially after the recent election. The Police Department says that conspiracy theorists and far-right white supremacist groups increasingly target critical infrastructure to incite fear, disrupt essential services, and cause economic damage with the United States and abroad. Sounds like the definition of a terrorist to me. Right now we are seeing isolated damage, but it is costing tens of thousands of dollars per incident – that you get to pay to repair and also causing service outages. Remember, for the most part, the only thing between a terrorist and critical infrastructure is a chain link fence and a padlock. The most recent case of that was the terrorist in Nashville that blew up a telephone company office and cost tens of millions of dollars of damage. That is the most that is in their way. Credit: The New York Times via the Intercept.https://theintercept.com/2021/03/17/5g-white-supremacists-conspiracy-theorists-critical-infrastructure/

LG Promises 3 Years of Security Updates After Pulling Out of Phone Biz

South Korean phone maker LG, always an also-ran in the phone biz, called it quits this week. However, they plan to provide both version and security updates for up to three years, depending on the model. The updates are based on when you bought the phone, not when the model was originally released, so this is actually good news for LG phone owners. Credit: The Record

Ex-GCHQ Staff Recommends Banning Ransomware Payments to Kill Off Ransomware

Several ex-GCHQ Staffer (like our NSA) suggest a law banning insurance paying ransoms to kill off the ransomware market. That would probably have some positive effect on it, but it is unlikely to actually kill it off. The other half of that law, however, needs to make the government pay the difference in cost between paying the ransom and not paying the ransom. For example, if the ransom demand is $250k and to rebuild the computers, restore what data you have and replace the lost business for the data that you don’t have will cost you $2 million, the gov needs to fork up the other $1.75 million. While I am not a fan of paying ransoms, this is not the right solution. What we have started to see, but need to see more of, is insurance companies declining to provide coverage to companies with inadequate security. This does not require any laws and will make companies deal with the externalities (this is the insurance company’s problem, not mine). Credit: The Register

Security News for the Week Ending February 19, 2021

Parler is Back Online

After being down for a month after getting kicked off Amazon, Parler is back online. Existing accounts can log in now; new accounts can be created next week. They have a new interim CEO after the board fired the last one. It does not appear that old content was moved over to the new platform. Apple and Google have not restored Parler’s apps and there are lawsuits and Congressional investigations, so they are not completely out of the woods yet. It remains to be seen what their content moderation strategy will be. In their notice it says that they don’t moderate and then proceed to talk about all the content moderation they are doing – likely to try and stay out of jail. Credit: MSN

Even Though FBI Complains About Going Dark, they Unlock Phones

While the FBI will never be happy until we return to the 1990s when there was no encryption, apparently, according to court documents, the FBI can get into iPhones after first unlock after power up (which is 99.99% of the time) and even read Signal messages. Likely using tools like GrayKey and Cellebrite they can extract data from many encrypted phones. Credit: Hackread

Certification Labs UL Hit By Ransomware

Underwriters Labs, the safety certification organization – which also has a cybersecurity certification – has apparently been hit by a ransomware attack which caused them to shut down their IT systems. Attempts to connect to the MyUL.Com portal return a ‘can’t reach this page’ error message. They have been down for a week so far and have decided not to pay the ransom. This points to how long it takes to recover from ransomware, even for a big company. Credit: Bleeping Computer

Microsoft Says SolarWinds Hackers Stole Some Source Code

Microsoft is now admitting that the SolarWinds hackers were able to download some of their source code including parts of code for Intune, Exchange and Azure. While not complete code for anything, any code that makes it onto the dark web will make it easier for hackers to figure out how to hack Microsoft users in the future. Credit: ZDNet

John Deere Promised Right to Repair But Didn’t Quite Do That

In 2018 John Deere lobbyists successfully killed a number of state legislative bills that would have allowed farmers to repair their own tractors and heavy equipment. In exchange, Deere pinky-promised to make the software and manuals available in three years. That would be January 1 of this year. Apparently, Deere, while successful at killing the bills, has not lived up to their end of the bargain and some of the state legislators are not terribly happy. Expect at least some states to introduce new “right to repair” bills this year. What is unknown is how broad these bills will be. Will they just allow a farmer to repair his/her tractor or will it also allow iPhone users to also repair their phones? Credit: Vice

Beazley Insight on Breaches

Beazley is one of the largest cyber risk insurance providers in the country and publishes periodic reports on claims that they see. Here is a summary of what they saw.

Ransomware evolved during 2020, reaching new levels of complexity. Rather than getting an employee to click on something, they hack the network, install malware that is highly persistent, try to destroy your backups, steal your data and threaten to expose you.

Other than that, 2020 was just like 2019.

Beazley says that the cost of ransomware payments in 1H2020 was double what they paid in 1H2019. That is in line with their estimate that extortion demands in 2020 will wind up being double what they were in 2019.

The attacks are getting more sophisticated (the SolarWinds attackers were in there for a year, for example). Beazley says that more often, hackers have access to the network prior to the ransomware attack, they figure out how to escalate the privileges that they have, they move throughout the network doing reconnaissance and figure what what data is there and where it is stored.

More importantly, often they steal (exfiltrate) the data, both to prove that they have access and to threaten the victim.

According to incident response firm Coveware, almost 50% of ransomware cases in Q3 2020 included the threat to release exfiltrated data , up from 22% in Q2. That is an amazing increase in just one quarter.

In one recent case, Beazley responded to a ransomware attack where the initial demand was a half million dollars. Using Beazley’s services they were able to lower the ransom to $50k and because their backups were hosed, they decided to pay.

Beazley points out that, if the hackers stole your data including PII or PHI, you may be legally required to notify the affected people. After all, you have no guarantee that the hackers will actually destroy the data if you pay the ransom and, in many cases, you may be dealing with several actors, some of which may have no role in your little agreement to pay money and destroy data.

While the article doesn’t say this, you also need to consider that the Treasury Department is putting pressure on organizations not to pay these ransoms by threatening to throw them in jail if they do. As a result, preventing attacks is likely the better long term strategy.

They wrap up the post with 7 great suggestions. If you are not already doing this, start now. Here is the abbreviated version:

  1. Conduct a risk assessment
  2. Set up strong controls on email content and delivery
  3. Manage access effectively
  4. Backups, backups and more backups (and make sure they are OFFline. Harder to hack that way)
  5. Educate users
  6. Patch systems and applications and
  7. Secure remote access

Beazley has more tips for its clients and if you don’t have cyber risk insurance, you need to reconsider that decision.

For more information, check out this link. Credit: Beazley

Security News for the Week Ending December 18, 2020

Data from employment firm Automation Personnel Services Leaked

Automation Personnel Services, a provider of temporary employment services, found 440 gigabytes of their data leaked on the dark web. The poster says that it includes payroll, accounting and legal documents.

The data was leaked because the company refused to pay the ransom.

When asked if the data was genuine, the company only said that they are working with forensics firms and are improving their security. Credit: Cybernews

Are Hospitals Protecting Your Data?

The Register is reporting that two thousand servers containing 45 million images of X-rays and other medical scans were left online during the course of the past twelve months, freely accessible by anyone, with no security protections at all.

To make matters worse, apparently hackers had been there before the researchers and left all kinds of malware behind. Will anyone get in trouble over this? Probably not. Credit: The Register

Ya Know Those Smart TVs? Maybe Not So Smart to Use?

Ponder this. Most TVs are made in China. Smart TVs connect to the Internet. There is Internet in China. China makes the chips that go into those TVs. And the software that goes into those chips. The executives for at least some of those companies have a documented connection to the Chinese government and/or military. China might be very interested in hearing what goes on in everyone’s living room. And bedroom. Including your kids’ bedroom. Some smart TVs have cameras in addition to microphones. Connect the dots; I am not allowed to. Credit: US Department of Homeland Security

Ransomware Attacks on the Rise and Insurers React

As ransomware attacks increased this year – both in terms of cost and severity, insurers are becoming more selective and some are scaling back their coverage. Total costs of ransom payments doubled between 1H2019 and 1H2020, but that might change going forward now that the feds are threatening to throw people in jail if they pay ransoms to terrorists. This means that some premiums are going up and some carriers are even getting out of the cyber risk insurance business. Credit: Reuters

Ransomware Operators Up The Ante

Israeli insurance company Shirbit was hit by a ransomware attack last week. The hackers demanded 50 Bitcoin within 24 hours. 50 Bitcoin is about a million dollars.

When they didn’t do that, the hackers started leaking the company’s data and doubled the ransomware demand to 100 Bitcoin or about two million dollars.

They said that if Shirbit still didn’t comply, they would raise the demand to 200 Bitcoin or about $3.8 million in the following 24 hours.

AND then they would start leaking more data every 24 hours as well as selling some of the data.

One thing of interest here is the timeline. Evey 24 hours the rules change. That means that you, as a business, need to be completely prepared because you do not have time to figure it out on the fly.

In the US, you also have to figure out whether paying the ransom is even legal and if not, what your alternatives are.

The insurance company says that they looked and the data that was stolen won’t hurt their customers. That may depend on your definition of hurt. I think that remains to be seen. You may remember that Travelex said their ransomware attack would not have a material effect on their business. Then declared bankruptcy a couple of months later.

Credit: The Jerusalem Post

How Long Does it Take to Recover from Ransomware?

First the wise guy answers: Too Long and It Depends.

Unfortunately, both are true.

For a lot of companies, 30 to 60 days seems to be the average.

Company size doesn’t seem to be a factor. We recently worked with a smallish company (less than 150 people) and it was 30 days before they were mostly back to semi-normal.

Travelex, the huge foreign currency exchange company was closed for 30 days and they wound up having to file for the equivalent of bankruptcy.

Today’s story is about the University of Vermont Medical Center.

The attack started during the week of October 25th. The system, which includes hospitals, home health and hospice care and which employs a thousand doctors plus 2,000 other medical staff, caused the system to have to cancel procedures such as chemotherapy.

The governor even brought in the National Guard’s cyber team to help recover (don’t you wish you could get that treatment if you had a cyber attack)?

A month later, they are still picking up the pieces.

Just last week they got their electronic medical record system back online and restored their online patient portal. At least medical staff doesn’t have to deal with paper charts any more. Of course, now they have to enter a month’s worth of backlogged patient chart data.

There are still other systems to be restored.

While the online patient portal is working again, new patients still cannot sign up. Also billing and payments are still a problem area, not great for cash flow during a pandemic.

Due to the outages, up to 300 employees have either been transferred or furloughed.

Now translate this to your company.

How long would it take you to recover from a complete cyber meltdown?

Do you have the funds to tide you over?

Do you have a plan to be able to continue to perform your key business functions during this time?

Can your IT team deal with the challenges?

If you don’t plan now, it will take longer to recover in the event that the worst does happen. Some companies have just shut down after a ransomware attack. They do not have the resources to recover.

Many companies hope that it won’t happen. Many companies have been wrong about that. Credit: Threatpost