Tag Archives: ransomware

Is This Becoming a Thing-Another MSP Ransomed

A couple of weeks ago it was a Managed Service Provider in Denver.  A few weeks before that, it was one in Wisconsin.  This week it is Irvine, CA based Synoptek with more than 1,100 customers including state and local governments, financial services and healthcare.  Their web site says that they did more than $100 million in business last year.

Someone captured a Tweet of theirs before they deleted it:

Now that they were hit by a ransomware attack which encrypted customer data on Christmas Eve, they probably wished they took their own advice.

They are being very quiet about the whole thing, but reports say that it infected a subset of their customers and that they paid the ransom.  Hopefully they have insurance to cover the cost.

Unlike the attack in Colorado, it looks like these guys were better prepared and were able to contain the attack and are working quickly to mitigate it.

Several thoughts here:

  • It looks like this *IS* becoming a thing because for an MSP, if they don’t pay the ransom, if they don’t decrypt their clients’ data, if they don’t minimize the consequences, they are likely out of business.  From an attacker’s standpoint, this is THE BEST scenario.
  • Since there are likely tens of thousands of these service providers out there from mom & pop shops to a few hundred employees (Synoptek has about 700 peops), there is no shortage of opportunities
  • As an MSP’s customer, you want to ask those embarrassing questions like do you have insurance, are you prepared and how long would I be down?
  • This attack also went after the remote control software, which is a weak spot for MSPs.  There are some options when it comes to this, so you might want to ask questions.
  • When it comes to *YOU*, you need to make sure you are prepared-
  • Do you have your own backups?
  • Do you have a monitoring and alerting system to detect the problem quickly (we have a cost effective solution)?
  • What is your plan if one or more of your service providers is down for a day?  For a week? For a couple of weeks?  Goes out of business?
  • Can you continue to do business while you are down?
  • While the total number of businesses impacted by just these three attacks that did hit the news is around, best guess, one thousand companies, that is just 3 attacks.  This will likely get uglier before it gets better.

And just to lighten things up a bit, check out this YouTube clip from the animated movie Hoodwinked.  He has a good suggestion – https://www.youtube.com/watch?v=HUIP208nZZs

Source: Brian Krebs

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending December 27, 2019

Russia Claims to Have Successfully Disconnected from the Internet

Russia has been planning to install an Internet kill switch for a couple of years now.  Of course, we have no clue what that means.  Likely, it means that they have their own DNS servers so that they do not have to resolve web site addresses using servers controlled by the US and EU.  But that means any web sites that are outside of Russia will not work if they do this.

More likely, this process, which forces all traffic through government controlled gateways, is designed to surveil its citizens even more than it already does.  Details at ZDNet.

Pentagon Tells Military Not To Use “At Home” DNA Tests

I am not sure that Ancestry.com or 23AndMe are terribly happy about the message, but the Pentagon put out a memo this week telling members of the armed services not to take at home DNA tests unless otherwise notified.

The cover story is that the tests might be unreliable and not reviewed by the FDA.  The next story is that negative results might require members of the armed forces to disclose things that could end their military careers.

The real story is they are worried about state actors getting their hands on the DNA of our service men and women for nefarious purposes.

It looks like the military is actually starting to understand risks of the 21st century.  Good work.  Note this is not voluntary or optional. Source: MSN

Telemarketing Firm Lays off 300 Before Christmas Due to Ransomware

A Sherwood, Arkansas telemarketing firm laid off 300 people just before Christmas after a ransomware attack shut down their systems.  The attack happened about two months ago and even though they paid the ransom, they have not yet been able to restore the systems.  Apparently, at this point, they have run out of money. The company finally put out a memo explaining what was happening and told employees to call on January 2nd to see if they were going to get their jobs back.  Merry Christmas.  Source: KATV

British Pharmacy Fined $350K for Failing to Protect Medical Records

It is not just the big companies that are getting fined.  In this case a British pharmacy was fined $350,000 for leaving a half million records unprotected and exposed to the elements.  In addition, the pharmacy was issued an order to fix its security practices in 90 days or face more fines.  We are seeing less willingness by courts and regulators on both sides of the Atlantic to deal with companies missteps when it comes to security and privacy.   Source The Register.

Georgia Supreme Court Says Victims of Medical Clinic Hack Can Sue

Moving to this side of the Atlantic, the Georgia Supreme Court says that victims of an Atlanta area medical clinic that was hacked can sue the clinic for negligence.  As I said, courts are becoming much less understanding as to why companies are not effectively protecting the data entrusted to them.  This decision reverses the Court of Appeals decision and is only binding in Georgia, but courts in other states may use this as a precedent in their decision process.  Source: Atlanta Journal Constitution

Facebooktwitterredditlinkedinmailby feather

More Businesses Are Opting to Pay Ransom to Get Their Data Back

The 2019 Crowdstrike Global Security Attitude Survey said that the total number of organizations around the world paying the ransom after falling victim to a supply chain attack almost tripled from 14% to 39%.

In the UK, the number of organizations that have experienced a ransomware attack and then paid the ransom doubled from 14% to 28%.

The ransoms, which often range in the 6 to 7 figure range (~ $500,000) are motivating the hackers to ramp up the attacks.

Here in Colorado we saw one attack that compromised a managed service provider and compromised over a hundred dental practices.  Each of those practices had to either pay the ransom or figure out another way to get their data back.

So why are these attacks continuing to be successful?

First of all, organizations of all sizes are not taking the necessary measures to protect their organizations.  Patching, not-reusing passwords and two-factor authentication are among the basic measures that many organizations are not doing across the board.

Next comes good backups.  We often see that backups are online (because that is more convenient) and the backups get encrypted as well.  Offline or write once backups are an important part of the backup strategy.

Finally, how long will it take you to recover.  After the Atlanta ransomware incident, the city spent 3 months recovering their systems.  For many companies, if they were down for three months, they would be out of business.

Given that ransomware attacks are, for the most part, attacks of opportunity, no one, big or small, has a get out of jail free card to use.  That means that everyone needs to be prepared to deal with a ransomware event and you want to be ready before it happens.

This is where disaster recovery, business continuity and computer forensics come in.

A Business Continuity program manages the process of making sure that critical business services continue to work in case of an attack.

A Disaster Recovery program manages the recovery process.  If you cannot rebuild your systems from backups within a time window that the business needs, you may be left with the very unpalatable option of paying the ransom.

If you do pay the ransom, you should assume that the attackers still have access to your system or have the ability to reinfect your systems after they come back online.  You need to understand how they got in there in the first place and that is where the third leg of the stool comes in – incident forensics.

While none of this cheap, having a program in place and your team trained could be the difference between responding to an incident and going out of business.

Source: ZDNet

 

Facebooktwitterredditlinkedinmailby feather

Weekly Security News for the Week Ending December 13, 2019

Apple’s Ad Tracking Crackdown Shakes Up Ad Market

Two years ago Apple decided that since they don’t earn a lot of revenue from ads and Google, their competitor in the phone business, does, wouldn’t it be great to do something to hurt them.  Oh, yeah, we can pretend the real reason we are doing it is to protect the privacy of our users.  Thus was born Intelligent Tracking Prevention.  This makes it much more difficult for advertisers to micro-target Safari users.

The results have been “stunningly effective”, trashing Google and others ad revenue from Safari users (typically affluent users who buy $1,000+ Apple phones, hence a highly desirable demographic) by 60%.  The stats are that Safari makes up a little over half of the US mobile market (Android wallops iPhone worldwide, but there are more users in the US willing to pay a lot of money for a phone).

So it is kind of a win-win.  Apple puts a dent in Google’s revenue and the users get tracked a little bit less.  Source: Slashdot.

 

Apple Releases Fix to Bug That Can Lock Users Out of Their iDevices

Apple users are generally pretty good at installing new releases, but this one fixes a bug that would allow an attacker to create a denial of service attack against any Apple device by sending it a bunch of requests at a speed the device can’t handle.  The bug is in AirDrop, Apple’s file sharing feature.    The good news is that a patch is available, so you just need to install it.  Source: Techcrunch

 

KeyWe Smart Lock is Broke and Can’t Be Fixed

KeyWe is a smart lock for your house.  You can buy it on Amazon for about 150 bucks. And unlock your house from your phone.

But you probably shouldn’t.  Because, apparently, ANYONE can unlock your house from their phone.

Researchers have figured out how to intercept the communications using a $10 Bluetooth scanner and decrypt the communications because the folks that wrote the software thought they knew something about cryptography.

Worse yet – the software in the lock cannot be upgraded.  Ever.  By any method, local or remote.  You get to buy a new lock.

So, as people continue to be infatuated with anything Internet, the crooks say thank you because, as I always say, the S in IoT stands for security (hint: there is no S in IoT).  Source:  The Register

 

Over 1 BILLION Userid/Password Combinations Exposed

There is a bit of good news in this (at the end).   Researchers found a publicly exposed Elasticsearch database on the net that was indexed by the BinaryEdge search engine.  The database contained 2.7 billion email addresses and clear text (unencrypted) passwords for over a billion of them.  The researchers contacted the ISP hosting the database and it was eventually taken offline.  It is not clear who owns the database or what its purpose is.   It looks like it is a collection aggregated from a number of breaches.  The good news is that most of the email addresses are from Chinese domains, so if we want to hack back at China, we have most of their emails and passwords.  Source: Info Security Magazine

New Orleans Hit By Ransomware Attack

In what is at least the third ransomware attack in Louisiana in recent weeks, the City of New Orleans shut down all of its computers, including the City’s official web site in an attempt to contain a ransomware attack.  As of right now, 911 is using their radios in place of computers to manage emergencies.

The city told users to unplug their computers from the network and stop using WiFi in an effort to contain the damage.  They then went from floor to floor to check if people really did that.

A MUCH SIMPLER AND QUICKER WAY TO CONTAIN THE DAMAGE IS TO POWER OFF ALL NETWORK SWITCHES (including the ones that the WiFi routers are connected to).  Doing that eliminates the communications path for the malware.  Once that is complete, you can power off individual computers. Source: NOLA.Com

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending December 6, 2019

Caller Poses as CISA Rep in Extortion Scam

Homeland Security’s CISA (Cybersecurity and Infrastructure Security Agency) says that they are aware of a scam where a caller pretends to be a CISA rep and claims to have knowledge of the potential victim’s questionable behavior.  The caller then attempts to extort the potential victim.

CISA says not to fall for the scam, do not pay the extortion and contact the FBI.  Source: Homeland Security.

Senate Committee Approves $250 Mil for Utility Security

The PROTECT  program would provide grants for utilities to improve their security.  Given that a carefully distributed government report says that the Russians (and not the Chinese) have compromised a number of US utilities already, improving security is probably a smart idea. The nice part is that it is a grant.  The important part is that the money would be spread out over 5 years, so in reality, we are talking about spending $50 million a year.  It also seems to be focused on electric and doesn’t seem to consider water or other utilities.  There are around 3,300 electric utilities alone in the US.  If we ignore everything but electric and spread the money equally (which of course, they won’t), every utility would get $15,000.  That will definitely get the job done.  NOT!  Source: Nextgov

Smith & Wesson’s online Store Hacked by Magecart

Lawrence Abrams of Bleeping Computer fame tried to warn Smith & Wesson that their online store had been compromised by the famous Magecart malware.  The join the likes of British Airways (183 million Euro fine) and thousands of others.  Abrams did not hear back from them by publication time.  Source: Bleeping Computer

Another MSP Hit by Ransomware Attack

CyrusOne, one of the larger MSPs was hit by a ransomware attack which affected some of their customers.  As I said in my blog post earlier this week, attacks against MSPs are up because they are juicier targets.

In CyrusOne’s case, they said the victims were primarily in a data center in New York (which hopefully means that they have segmented their network), it did not affect their colo customers, only their managed customers (because in a colo, the provider does not have credentials to their customer’s servers) and they are investigating.

This just is one more reminder that you can outsource responsibility to a service provider, but the buck still stops with you when the provider is hacked.  Source: MSSP Alert

Reuters Says Census Test Run in 2018 Was Attacked By Russia

Commerce outsourced the first digital census to Pegasystems and at last check the cost has doubled to $167 million.  More importantly, in a 2018 test, Russian hackers (not China) were able to penetrate a firewall and get into places where they should not have been.  In addition, the test was hit with DNS attacks.

Sources say this raises concerns whether T-Rex Solutions, the Commerce Department’s main security contractor, can keep the Russians out when the site actually goes live.  Or the Chinese. Or other countries that would like to embarrass us.

Census said (a) no comment, (b) no data was stolen (this was likely a reconnaissance test by the Russians, so no surprise) and (c) the system worked as designed (i.e. the Russians got in and we panicked).

Clearly if the Russians are able to compromise the Census, that would be a HUGE black eye for this President and the Executive Branch.

They can hide things during a test, but cannot hide them when it goes live, so lets hope they are able to fix it.  Source: Reuters

Facebooktwitterredditlinkedinmailby feather

Argh – They Have a Name for it Now – Leakware

As I have been saying for a while, hackers are good at evolving.

As we see more and more ransomware attacks, a lot of the people are opting not to pay the ransom and instead deal with reconstructing their infrastructure and losing data (like police losing digital evidence and having to let crooks go).

So the hackers are in the process of evolving.

The City of Johannesburg, South Africa was hit with a ransomware attack and the attacker said that if they didn’t pay the ransom, the hackers would sell/publish the data.  We are beginning to see more of this.

The city didn’t pay and we don’t know if the hackers sold the data.  It is possible that it was a bluff and they didn’t have the data.  Only time will tell.

But from a hacker’s standpoint, that is likely the next evolution of ransomware and they have given it a name – LEAKWARE.

The premise is that good backups don’t help.  Disaster recovery plans don’t help.  Business continuity plans do not make a difference.

If I was a hacker and was contemplating a Leakware attack, I would go after high value targets.  Examples include banks, mortgage companies, big pharma and  law firms.  Also anyone with a lot of personal data like HR departments, sensitive data, financial data or intellectual property.   Especially service providers (law firms, accounting firms, contract HR and similar companies fit into this category).  These are companies that might go out of business if their customer’s data was published, hence they are very likely to pay a Leakware ransom.

The only solution to this is to do your best to protect your infrastructure.  There are a number of ways to do this – better employee training, logging with 24×7 alerting, segmentation and many others.   It takes work.  It costs money, but maybe not a fortune.  What it takes is making protecting your network a priority.

Source: Government Computer News

Facebooktwitterredditlinkedinmailby feather