Tag Archives: ransomware

Security News for the Week Ending December 6, 2019

Caller Poses as CISA Rep in Extortion Scam

Homeland Security’s CISA (Cybersecurity and Infrastructure Security Agency) says that they are aware of a scam where a caller pretends to be a CISA rep and claims to have knowledge of the potential victim’s questionable behavior.  The caller then attempts to extort the potential victim.

CISA says not to fall for the scam, do not pay the extortion and contact the FBI.  Source: Homeland Security.

Senate Committee Approves $250 Mil for Utility Security

The PROTECT  program would provide grants for utilities to improve their security.  Given that a carefully distributed government report says that the Russians (and not the Chinese) have compromised a number of US utilities already, improving security is probably a smart idea. The nice part is that it is a grant.  The important part is that the money would be spread out over 5 years, so in reality, we are talking about spending $50 million a year.  It also seems to be focused on electric and doesn’t seem to consider water or other utilities.  There are around 3,300 electric utilities alone in the US.  If we ignore everything but electric and spread the money equally (which of course, they won’t), every utility would get $15,000.  That will definitely get the job done.  NOT!  Source: Nextgov

Smith & Wesson’s online Store Hacked by Magecart

Lawrence Abrams of Bleeping Computer fame tried to warn Smith & Wesson that their online store had been compromised by the famous Magecart malware.  The join the likes of British Airways (183 million Euro fine) and thousands of others.  Abrams did not hear back from them by publication time.  Source: Bleeping Computer

Another MSP Hit by Ransomware Attack

CyrusOne, one of the larger MSPs was hit by a ransomware attack which affected some of their customers.  As I said in my blog post earlier this week, attacks against MSPs are up because they are juicier targets.

In CyrusOne’s case, they said the victims were primarily in a data center in New York (which hopefully means that they have segmented their network), it did not affect their colo customers, only their managed customers (because in a colo, the provider does not have credentials to their customer’s servers) and they are investigating.

This just is one more reminder that you can outsource responsibility to a service provider, but the buck still stops with you when the provider is hacked.  Source: MSSP Alert

Reuters Says Census Test Run in 2018 Was Attacked By Russia

Commerce outsourced the first digital census to Pegasystems and at last check the cost has doubled to $167 million.  More importantly, in a 2018 test, Russian hackers (not China) were able to penetrate a firewall and get into places where they should not have been.  In addition, the test was hit with DNS attacks.

Sources say this raises concerns whether T-Rex Solutions, the Commerce Department’s main security contractor, can keep the Russians out when the site actually goes live.  Or the Chinese. Or other countries that would like to embarrass us.

Census said (a) no comment, (b) no data was stolen (this was likely a reconnaissance test by the Russians, so no surprise) and (c) the system worked as designed (i.e. the Russians got in and we panicked).

Clearly if the Russians are able to compromise the Census, that would be a HUGE black eye for this President and the Executive Branch.

They can hide things during a test, but cannot hide them when it goes live, so lets hope they are able to fix it.  Source: Reuters

Facebooktwitterredditlinkedinmailby feather

Argh – They Have a Name for it Now – Leakware

As I have been saying for a while, hackers are good at evolving.

As we see more and more ransomware attacks, a lot of the people are opting not to pay the ransom and instead deal with reconstructing their infrastructure and losing data (like police losing digital evidence and having to let crooks go).

So the hackers are in the process of evolving.

The City of Johannesburg, South Africa was hit with a ransomware attack and the attacker said that if they didn’t pay the ransom, the hackers would sell/publish the data.  We are beginning to see more of this.

The city didn’t pay and we don’t know if the hackers sold the data.  It is possible that it was a bluff and they didn’t have the data.  Only time will tell.

But from a hacker’s standpoint, that is likely the next evolution of ransomware and they have given it a name – LEAKWARE.

The premise is that good backups don’t help.  Disaster recovery plans don’t help.  Business continuity plans do not make a difference.

If I was a hacker and was contemplating a Leakware attack, I would go after high value targets.  Examples include banks, mortgage companies, big pharma and  law firms.  Also anyone with a lot of personal data like HR departments, sensitive data, financial data or intellectual property.   Especially service providers (law firms, accounting firms, contract HR and similar companies fit into this category).  These are companies that might go out of business if their customer’s data was published, hence they are very likely to pay a Leakware ransom.

The only solution to this is to do your best to protect your infrastructure.  There are a number of ways to do this – better employee training, logging with 24×7 alerting, segmentation and many others.   It takes work.  It costs money, but maybe not a fortune.  What it takes is making protecting your network a priority.

Source: Government Computer News

Facebooktwitterredditlinkedinmailby feather

Yet Another Hosting Provider Hit By Ransomware Attack

SmarterASP.net, a web hosting provider with over 400,000 customers, was infected by ransomware over the weekend.

They are, at least, the third provider to be hit by such an attack.

Affected user web sites are down and the company’s website was also down.

Customers logging in might see a directory listing that looks like this

The encrypted files have the extension kjhbx, except for the ransom note below:

The company has not returned calls so it is unclear if they paid the ransom or are restoring from backups.

If this is like the previous hosting provider attacks, it will likely take weeks for them to restore all the data – if it all can be restored.

A2Hosting and iNSYNQ are two other hosting providers that were attacked earlier this year.

In 2017 South Korean hosting provider Nayana paid a ransom of over $1 million after they were attacked.

Hackers understand that if they can get a hosting provider to pay, the payday is likely a lot larger than attacking you or me.  As a result, attacks against cloud service providers are likely going to continue.

There is no obvious notice on the company’s homepage of the attack and for good reason – it is not terribly good for business.  They are likely hoping that this disappears off the radar and they can continue signing up customers.  There is a note buried on the support site, here.  It says don’t bother to call us or email us, we are kind of busy right now.

So what does this mean for you?

First of all, check your cloud provider’s contract that you signed – either without reading it or without caring.  It probably says that they will not charge you while your web site is down.  Beyond that, you are likely on your own.  Maybe your contract is different, but I doubt it.

You can try suing them for damages, but in light of the contract, that probably will go no where.

*IF* you have cyber risk insurance WITH  network business interruption coverage, you will probably be able to collect on your policy, but only if you have that coverage.

From some of the earlier attacks, it took the providers *WEEKS* to recover all the data – if they were able to recover it at all.

ARE YOU OKAY WITH YOUR WEB SITE BEING DOWN FOR A COUPLE OF WEEKS?

ARE YOU OKAY WITH SOME OTHER CLOUD SERVICE PROVIDER THAT IS KEY TO YOUR BUSINESS BEING DOWN FOR A COUPLE OF WEEKS?

ARE YOU OKAY WITH LOSING SOME OR ALL OF YOUR DATA FOREVER?

Assuming the answer to these questions is no, it is up to you to figure out a business continuity plan.  Assuming your data is permanently gone, it is up you to figure out what to do.

We have read stories of some companies going out of business after one of these attacks because customers fled or they lost all of their data.  These are the minority, but it does happen.

Plan for it now because dealing with it after the fact is no fun.

AND, your cloud service provider is likely not liable, other than not charging you for the service that you are not getting.

Information for this post came from ZDNet.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending November 1, 2019

Johannesburg, South Africa Attacker Threatens Data Breach

In what I think is going to be the way of the future, hackers compromised Joburg IT systems and threatened to publish data that they stole if the ransom is not paid.  As I write this, the deadline has just passed, they have not paid the ransom, the data is not yet exposed and they think they will have most of the systems back online soon.  While this project seems to be the work of inexperienced hackers (they did not encrypt all of the systems), this does not mean that more experienced hackers won’t try this technique and do a better job of it.  Source: The Register.

China Steals IP to Build C919 Airliner

I keep saying that the biggest threat to U.S. businesses is not credit card fraud but IP theft, such as by the Chinese.  In this case the Chinese wanted to build a passenger jet to compete with Boeing and Airbus.  The plane, in development for almost 10 years, was delayed because the Chinese didn’t actually know how to build it.  SOOOOOO, here comes TURBINE PANDA.  Stupidly, the developer of Turbine Panda came to the US for a security conference, where he was quickly arrested by the FBI.  Now China’s MSS (ministry of State Security) has banned Chinese researchers from attending conferences in the US.  In the meantime, Turbine Panda was  used to compromise US and European airplane parts suppliers so that China could get the tech that they needed to build the C919.  Source: CSO.

 

FCC Plans to Ban Huawei and ZTE Equipment, Force Replacement

The FCC is set to vote on rules banning using Federal Government subsidies to buy Huawei and ZTE equipment  because of their close ties to the Chinese government and another rule that would force telecoms to rip  out existing Chinese equipment.  The cost of replacing existing equipment has been estimated at several billion dollars and the FCC doesn’t have any way to pay for that.  In addition, if telecoms have to use more expensive 5G equipment from other providers, they will have to slow down the deployment of 5G services due to cost.  The options that telecoms have, if that proposal gets approved, is to significantly delay the rollout of the much overhyped 5G cell networks or raise prices.  This disproportionately will affect less densely populated parts of the county (like me, who lives 20 miles from downtown Denver – I cannot currently get any form of broadband Internet or any form of cell service where I live) because carriers will choose to install limited 5G service in highly dense areas where they will get more subscribers to pony up the additional fees for 5G cell plans and those 5G cell phones that often run $1,100 or more.  The U.S. is already pretty much a third world country when it comes to fast , affordable Internet and cell service and this will only reinforce it.  I have no problem banning Chinese firms, Congress just needs to figure out how to pay for this desire.  Source: ARS

 

Domain Registrars Web.com, Network Solutions and Register.Com Hacked

These three registrars – all owned by the same folks – were hacked in AUGUST but the company didn’t figure it out until mid OCTOBER.  The information taken is mild by today’s standards – names, addresses, phone numbers, etc. but no credit cards – they don’t don’t believe (that’s comforting).  Also not compromised were passwords.  If this is accurate, it seems like they segmented the data, which is a good security practice.  Still, if you use one of these services, I would change  my password and make sure that two factor authentication is enabled.  Source:  The Hacker News.

 

Rudy Guiliani Bricked His iPhone;  Asked Apple to Fix It

Reports just surfaced – and so far are not being disputed  – that the Prez’s cybersecurity advisor, personal lawyer and who knows what else, apparently forgot his iPhone password and after 10 tries, locked it up, so he took it to an Apple store in San Francisco and GAVE it to some random Apple tech to reset, and reload from iCloud.  Definitely a super secure situation.  Rudy said that everyone needs help from time to time and compared himself to the dead San Bernadino mass shooter whom the FBI needed help unlocking his iPhone.   I don’t think that would be someone that I would compare myself to.  Source: The Register.

Does Amazon Have a Security Prob?

One report says that an Amazon customer was seeing mysterious fraudulent charges on his account and even after working with Amazon multiple times and resetting everything, the charges kept coming.  After months, he found out that Amazon doesn’t have visibility to non-Amazon branded smart devices that are connected to your account (like a smart TV) and even if you reset your account, those devices can continue to connect and order stuff.  There is a department inside the company that has a special tool that they can use to detect these rogue devices.  If you are seeing mysterious charges that they can’t explain, this could be it.  Source: The Register.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending October 25, 2019

Database Leaked 179 GB of Personal Data of military personnel, officials and hotel customers.

I wish this was a new story.  Autoclerk, a Best Western service that manages reservations, revenue, loyalty programs, payment processing and other functions for the hotel chain. left an elastic search database exposed.

Hundreds of thousands of guest reservations were exposed including names, home addresses, dates of birth, travel dates and other information.

The reason why government and military personnel are affected is that a government contractor that deals in travel reservations was sucked into the breach.  Source: SDNet.

 

San Bernadino Schools Hit By Ransomware

A message on the school district’s web site says not to worry, all of your data is secure.   (it’s just that it has all been encrypted by a hacker).    Phones are working but email is not working.   Schools in Flagstaff closed last month for several days while officials got things under control after a ransomware attack there.  Source: ABC

 

Russia Using “False Flags” to Confuse Security Experts

Researchers are still dissecting the attack on the 2018 Olympics in South Korea.  Russia inserted false signals and other misdirections in order to may people think that the attack came from China or North Korea.  This does point out that if you are willing to spend millions of dollars, you likely can figure out quite about a cyber attacker.  The story is so complex that one of the researchers wrote a book, Sandworm, which will be available on Amazon on November 5, 2019.  Source: WaPo

 

Amazon’s Web Services DDoSed for 10 Hours This Week

For about 10 hours earlier this week parts of Amazon were effectively offline.  Amazon’s DNS servers were being hammered by a DDoS attack.  This meant that Amazon backend services such as S3 may have failed for websites and apps that attempted to talk to those services.  The outage started around 0900 east coast time so it impacted users throughout the work day on Tuesday October 22, 2019.   For developers and businesses this is just one more reminder that nothing is bullet proof if the bullet is large enough.  Even though Amazon has an amazing about of bandwidth and infrastructure, it can get taken down.

Other services that were affected included RDS (database), Simple Queue Service, Cloudfront, Elastic Compute Cloud, and Elastic Load Balancing.  Amazon did offer some ways to mitigate the damage if it happens again – see the link below.  As a business you need to decide how much cost and effort you are willing to expend to mitigate rare occurrences like this.  Source: The Register.

 

Comcast is Lobbying Against Browsers Encrypting DNS Requests

Here is a big surprise.  As the browser vendors (Chrome and Firefox) add the ability to support encrypting your DNS requests to stop people from spying on you, one of the biggest spies, Comcast, is lobbying against this.  They say that since Google would be able to see the data, that puts too much power in Google’s hands.  Ignore for the moment that Firefox is not using Google as a DNS provider and also ignoring that Google is offering  users at least 4 different encrypted DNS providers.  Lets also consider that encrypted DNS is not even turned on by default.  The much bigger issue is that Comcast will not be able to see your DNS requests and therefore will not be able to sell your web site visit data.  But of course, we would not expect them to be honest about why.  Source: Motherboard.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending October 11, 2019

Medical Practice Closes After Ransomware Attack

Wood Ranch Medical is closing their doors permanently after a ransomware attack.  The attackers not only encrypted the practice’s data, but also its backups.

In April 2019, the Brookside ENT and Hearing Center in Battle Creek also closed after a ransomware attack.

Ransomware attacks are just one reason why businesses should keep at least one backup off-site and off-line.  Source: Security Week

 

Reductor Malware Bypasses Encryption

Kaspersky, the Russian anti-malware vendor that has been banned for use by the US government, reported a new malware attack that bypasses encryption on a user’s PCs using a very novel technique.  Rather than crack the crypto, the attack compromises the random number generator on the computer, affecting the crypto algorithm and making the encryption easy to break.  Very creative.  Source: The Register

 

vBulletin Developers Release Patches for 3 More High Severity Vulnerabilities

Right after patching the critical vulnerability that took down Comodo, the developers of vBulletin have released even more patches.  This time is it a remote code execution (RCE) flaw and two SQL injection (SQLi) attacks.  vBulletin runs on at least 100,000  web sites.  While these vulnerabilities are not at bad as last week’s, you should patch them soon.  Source: The Hacker News.

 

Feds Hit the Mob with Cyberstalking Charges

A jealous mobster put a GPS tracker on his girlfriend’s car.  The mobster, a captain in the Colombo crime family and 20 of his friends were charged with racketeering, loansharking, extortion and, oh yeah, cyberstalking.  The story sounds like a Hollywood B movie, but it is, apparently, real.  Read the story here.

 

Colorado Records Another First

In response to the Intelligence Community’s assessment of foreign interference in the 2016 election, reports of attempted interference in 2018 and reports from Defcon that every one of the voting machines that they tried to attack was vulnerable, Colorado Secretary of State Jena Griswold banned counting ballots using printed barcodes.  Griswold says that a barcode is not a verifiable paper trail if the voter has no idea what it says.  Colorado’s voting machine vendor, Dominion, has agreed to provide a software upgrade for free that will print out darkened circles next to the vote instead.  Unfortunately, nothing is perfect and this doesn’t go into effect until after the 2020 election.  Now that Dominion has agreed to provide the software upgrade for free,other states will likely follow.  Source: CNN .

Facebooktwitterredditlinkedinmailby feather