Tag Archives: ransomware

Security News for the Week Ending November 12, 2021

Feds Having Some Success In Going After Hackers

The DoJ announced the arrest of a Ukrainian who is accused of deploying ransomware on behalf of the REvil ransomware gang. They also seized $6 million in cryptocurrency. The Ukrainian was arrested in Poland (crooks are not smart. If you are in the crosshairs of U.S. law enforcement, do not go to countries with extradition treaties with us. They also arrested other REvil affiliates in Romania and Kuwait. Understand while this is all good, it is also a drop in the bucket with regard to the amount of cybercrime affecting us. Credit: Bleeping Computer

State Department Sends Emergency Employee Message: Change Passwords

On Tuesday afternoon the State Department sent out an official text message to employees telling them to change passwords now and increase the length from 12 to 16 characters. They are not even confirming the message but the only logical conclusion is that they were hacked. Credit: Just the News

Missouri Apologizes for Governor’s Political Stunt

After the St. Louis newspaper discovered that a state website that allows the public to check on teachers’ credentials was leaking the personal information of hundreds of thousands of teachers, the governor tried to get the newspaper and the reporter arrested and charged with hacking. He even ordered the highway patrol to investigate the crime. Now the state’s department of education is apologizing to the teachers and offering them credit monitoring. The governor said that the newpaper’s hacking was going to cost the state $50 million. Turns out the cost is really $800,000. And the highway patrol is still investigating. The Governor has not apologized. Credit: ZDNet

Dutch Newspaper Accuses US Spy Agency of Orchestrating 2016 Booking.com Breach

Booking.com was hacked in 2016 and they did not disclose the breach. The newspaper says that Booking.com relied on advice from law firm Hogan Lovells saying they did not have to disclose it. The hackers came across a poorly secured server with customer PINs which allowed them to steal the information. The company asked the Dutch spy agency for help after an internal investigation tied the hacker to US spy agencies. The company acknowledged that it did not disclose the breach and that was consistent with the laws in effect at the time. This hack looks very similar to an attack that Snowden disclosed eight years ago. Credit: The Register

13 Security Bugs Impact Important Healthcare Devices

Researchers have published details of a suite of 13 vulnerabilities in the Nucleus real time operating system from Siemens that is used across many industries including healthcare, automotive and aerospace. Called Nucleus:13, the flaws affect the TCP/IP stack, a common attack vector in these type of operating systems. This revelation is part of a larger investigation into TCP/IP software which discovered 78 vulnerabilities in 14 different TCP/IP stacks. A different research team found 19 flaws in a different TCP/IP stack. Siemens has released patches for the current versions of the OS, but there is no way for an end user to know what version is in their medical device – that is until software bills of material become legally mandatory. Credit: Bleeping Computer

Feds Scramble for Easy Fix To Ransoms

Congressman Patrick McHenry (R-NC) introduced the Ransomware and Financial Stability Act (HR 5936) this week which would make it illegal for financial institutions to pay ransoms over $100,000 without first getting the government’s permission.

McHenry, the top Republican on the House Financial Services Committee, introduced the bill yesterday.

He said that ransomware payments in the U.S. totaled more than $1 billion since 2020. He didn’t answer where he came up with that number.

The FBI says ransomware payments between 2014 and 2020 totaled $140 million. Not sure where the other $860 million came from.

He says that the bill will help deter, deny and track down hackers who threaten the financial institutions. I am sure that a new law will make all of those hackers in Russia and North Korea shake in their boots. I am also not clear why not paying ransoms would help track down hackers.

If the bill passes, it will mandate the following:

  • Financial institutions will have to notify Treasury’s FINCEN before making a ransomware payment
  • It would prohibit financial institutions from paying a ransom in excess of $100,000 with prior approval from law enforcement or the President, if he/she determines it is in the country’s national interest

The bill says that ransomware payment reports would remain confidential, something the government is great at, except that there is an exception to that in the case of the government or the courts.

Of course there are two sides to prohibiting these payments.

On the pro ban side, they it is no different than paying bribes or paying pirates.

On the anti ban side, there are those who say it is not the government’s decision and paying the ransom may be dramatically less expensive than not paying it.

RAND has suggested that banning ransom payments is similar to the U.S.’s no-concession approach to giving in to kidnapping demands, which RAND says does not work.

The FBI said that ransom payments should not be banned.

Usually the reason that companies choose to pay the ransom is that it is less expensive. Often 10x or 50x less expensive. The bill, which makes saving that money impossible, does not compensate financial institutions for the decision that the government will make for them.

The only good news is that he does not have any co-sponsors and there is no Senate version.

Credit: Threatpost

Security News for the Week Ending August 27, 2021

Third Party Risk – You Can Ignore it, But It Won’t Ignore You

DataBreaches.net is reporting that a hacker claimed to have hacked an HVAC vendor and remotely accessed systems at the vendor’s customers. One of those customers is reported to be Boston Children’s Hospital. The HVAC vendor is reported to be ENE Systems in Canton, Mass. The hacker showed the reporter schematics and wiring diagrams that the hacker claimed were taken at Children’s Hospital. The hacker attempted to extort ENE after the breach. Hopefully, the affected hospitals, including Mass General, did a good job of isolating the affected systems from the rest of the network, but if so, that would be unusual. I’m hoping. Credit: Info Risk Today

Samsung Can Turn Off Any Samsung TV Worldwide Remotely

Samsung admitted/announced that they can turn off any of their TVs worldwide remotely. The idea is to kill the market for stolen TVs. The TV checks if it is on a stolen TV list and if it is, they shut it down. However, if they turn it off by mistake, you better hope you kept your receipt. They say if you can prove you bought it legally and have a valid TV license (whatever that is), they can turn your TV back on in as little as 48 hours. Otherwise, you have a really expensive paperweight. Of course, if you are like me and think the only smart TV is one that is not connected to the Internet, their solution doesn’t work. On the other hand, I wonder what happens when they get hacked. Now that it is known, hackers might choose to have fun at Samsung’s expense. Credit: Bleeping Computer

Ransomware Gang Targets Specific File Types

Researchers found a Powershell script used by the Pysa ransomware gang that shows exactly what sort of file names they are looking to steal. Those include tax files like 941, 1040, 1099, insurance files, scans, payroll, Pwd and others. See a more complete list here.

What Not to Put in Checked Baggage

The TSA has a long list of things that you cannot legally put in checked baggage like fireworks, but then there are really stupid things to put in your checked luggage. An Alaska Airlines passenger checked their cell phone in their baggage and as the plane landed the phone caught fire, (possibly due to the change in altitude?). The Port of Seattle Fire Department responded, the 182 people on the plane were evacuated and this passenger will not get the information off their phone. Note that this is not illegal, just not smart. There were some injuries and everyone had to be bussed to the terminal. Credit: MSN

Security News for the Week Ending July 30,2021

Internet Rot Causes Porn on Legit Sites

News sites like New York Magazine and others accidentally displayed porn because they had links to the old and now gone Vidme video sharing site. Vidme went out of business in 2017 and a porn site bought the domain. Since there is no easy way for web site operators to detect that a linked site has been sold and since there are billions of old pages out there, you have the making of an embarrassing disaster. Needless to say, the web sites fixed this little bit of rot, but there are millions of other bits of rot lurking. Credit: Wired

Ex eBay Security Boss Sentenced to 18 Months for Cyber-stalking and Witness Tampering

The former global security manager for eBay was sentenced on Tuesday to 18 months in prison and was ordered to pay a $15,000 fine for his role in the cyber-stalking and harassment of a Massachusetts couple who published a newsletter critical of the internet yard sale. Philip Cooke, a former police captain before joining eBay was the last of 7 charged in a scheme to threaten and silence a couple who wrote a blog that was negative about eBay. eBay executives say that they were not aware of the tactics, but…..really? Credit: The Register

9th Circuit Limits Feds’ Confiscation of Electronics at the Border

The 9th Circuit Court (covering Alaska, Arizona, California, Guam, Hawaii, Idaho, Montana, Nevada, Mariana Islands, Oregon and Washington) ruled that border agents, which until now have had a complete free-for-all with your digital devices, severely limited what a border agent can search for without a warrant. They can ONLY search for digital contraband such as child porn. Under the Trump administration, CBP had a blacklist of reporters, humanitarian workers and lawyers and would regularly seize their phones and laptops under the ruse of Homeland security and copy all of their content. Assume this will wind up at SCOTUS sometime in the next 5-10 years, but in the meantime, this is the law in the western US. Credit The Washington Time

Ransomware Up 93% in Last 6 Months Adding TRIPLE Extortion

In a report, Checkpoint Security says, that overall cyber attacks are up 17% in the US and 36% in EMEA over the first 6 months of the year. But, they say, Ransomware is up 93%, caused by ransomware 3.0. For those not following this, in ransomware 1.0, the crooks just encrypted your data. In ransomware 2.0, they steal it first, then encrypt it and threaten to release it if you have good backups and don’t want to pay. In ransomware 3.0, they steal it and encrypt it, but also try to get your customers, whose data they have stolen, to pay. Credit: Cyber News

DOJ Admits Hackers Got Into Emails of 27 US Attorneys’ Offices

7 months after the SolarWinds Attack was announced, DOJ now says that Russia was able to browse their emails between May and December, including sent, received and stored, and also including attachments. DOJ admits that Russia had access to at least 80% of employees emails in the Eastern, Northern, Southern and Western district of New York. They also got access to emails in California, DC, Florida, Georgia, Kansas, Maryland, Montana, Nevada, New Jersey and 6 other states. Credit: Bleeping Computer

Are You Ready for the Next Supply Chain Attack?

On Friday Title industry software and consulting provider was hit by a ransomware attack. Cloudstar operates 6 data centers and supports over 40,000 customer users. Now those customers are wondering what are they going to do.

Cloudstar users who close real estate sales are dependent on Cloudstar’s systems being up.

Cloudstar has been down since Friday. Their CEO says he doesn’t know when the systems will be back operational.

Cloudstar’s customers are scrambling today to be able to close loans.

In the meantime Cloudstar has brought in third party experts to help them.

While it is possible that Cloudstar was specifically targeted as suggested in a Housing Wire article, no one knows if that is true or not. It is certainly possible that there were just another random victim after an employee clicked on a malicious link.

This particular software is core to the title business so it is not like a title company can do a Google search and replace it. Cloudstar’s competing service providers are circling like vultures, offering free setup and who knows what else, but the problem is that the companies that use Cloudstar’s services do not have access to the forms and client data that lives on Cloudstar’s platform, which is now encrypted. Credit: ALTA

Title companies who are affected by this attack likely must report this to their regulator as the assumption by the federal government is that ransomware equals data compromise. They also likely have to tell customers that their loan or other data may have been compromised.

Some of Cloudstar’s customers may go out of business, depending on how long Cloudstar is down. It could anywhere from a few days to a month. Or more.

In helping our clients respond to Fannie Mae audits (MORA), Fannie seems to be much more interested in regulated entitys’ ability to respond to a ransomware attack and continue to support their customers. This is yet another concern that companies need to be concerned about.

But take a step back from from the specifics of this supply chain attack. You likely have vendors that are critical to your business and which are also a single point of failure that cannot be easily or quickly replaced. Given the number of ransomware and other cyber breach attacks against service providers, companies need to prepare themselves for the possibility that they will be in the same boat as the customers of Cloudstar are today. The alternative is that you lose access to your data, your business comes to a complete standstill, you have to report to regulators and customers that you lost control of your data and potentially, face significant expenses.

Are you ready?

Additional info credit: The Title Report