Tag Archives: REvil

Security News for the Week Ending January 21, 2022

Russia Arrests Some REvil Gang Members

At this point we don’t know who they ticked off, but Putin’s goons arrested 14 people and seized 426 million Roubles (about $5.5 million), $600,000 USD, 500,000 euros, computers and 20 cars. These guys definitely will not be getting a Christmas card from Vlad next year. Credit: Yahoo News

Gas or Electric – Which is Better When You are on a Virginia Highway in a Blizzard

Couldn’t resist the dig on Virginia – the government of which could not figure out recently that ice storms could cause problems and where people were stranded on the Interstate for over 24 hours with no food, water or heat. The question that electric car naysayers have been asking – or really telling – is that if you are in an electric car, stuck in a traffic jam, you are going to run out of juice and have to be towed somewhere to get a charge (vs. putting a few gallons in to your gas tank). If you want to see the details of the argument, go to the link, but at least this analysis says that it is a bit of a toss up because of all of the variables. Credit: Vice

Europe Wants to Create Its Own DNS Infrastructure

The EU doesn’t like anything that it can’t control and especially if it is controlled by companies in the U.S. The project, called DNS4EU, would enable DNS filtering, support all DNS standards and, most importantly, would effectively be under the government’s thumb, meaning that they could tell DNS4EU to block whatever the various governments wanted. Bigger point, EU ISPs won’t be happy to lose the revenue that they get from currently selling their users’ data, so it is unclear whether, unless EU law forces them to use it, they would encourage it. Credit: The Record

More Than Half of Connected Medical Devices Have Critical Vulnerabilities

A new report from Cynerio says that 53% of Internet-connected medical devices analyzed were found to have a known critical vulnerability. In addition a third of bedside healthcare IoT devices have an identified critical risk. This includes missing passes, unsupported operating systems and default passwords left operation. Credit:Cynerio

Some Russian Hackers Worried About Being Arrested

After recent arrests by Russia’s FSB of the REvil hackers, there is some chatter on Russian message boards about not wanting to go to jail. One hacker said that those who expect that Russia would protect them will be greatly disappointed. Some are even suggesting moving to a more favorable (to them) jurisdiction, but there likely aren’t many of those. If Russia continues this then the paranoia will likely increase, which is good for us. Credit: ZDNet

Security News for the Week Ending November 12, 2021

Feds Having Some Success In Going After Hackers

The DoJ announced the arrest of a Ukrainian who is accused of deploying ransomware on behalf of the REvil ransomware gang. They also seized $6 million in cryptocurrency. The Ukrainian was arrested in Poland (crooks are not smart. If you are in the crosshairs of U.S. law enforcement, do not go to countries with extradition treaties with us. They also arrested other REvil affiliates in Romania and Kuwait. Understand while this is all good, it is also a drop in the bucket with regard to the amount of cybercrime affecting us. Credit: Bleeping Computer

State Department Sends Emergency Employee Message: Change Passwords

On Tuesday afternoon the State Department sent out an official text message to employees telling them to change passwords now and increase the length from 12 to 16 characters. They are not even confirming the message but the only logical conclusion is that they were hacked. Credit: Just the News

Missouri Apologizes for Governor’s Political Stunt

After the St. Louis newspaper discovered that a state website that allows the public to check on teachers’ credentials was leaking the personal information of hundreds of thousands of teachers, the governor tried to get the newspaper and the reporter arrested and charged with hacking. He even ordered the highway patrol to investigate the crime. Now the state’s department of education is apologizing to the teachers and offering them credit monitoring. The governor said that the newpaper’s hacking was going to cost the state $50 million. Turns out the cost is really $800,000. And the highway patrol is still investigating. The Governor has not apologized. Credit: ZDNet

Dutch Newspaper Accuses US Spy Agency of Orchestrating 2016 Booking.com Breach

Booking.com was hacked in 2016 and they did not disclose the breach. The newspaper says that Booking.com relied on advice from law firm Hogan Lovells saying they did not have to disclose it. The hackers came across a poorly secured server with customer PINs which allowed them to steal the information. The company asked the Dutch spy agency for help after an internal investigation tied the hacker to US spy agencies. The company acknowledged that it did not disclose the breach and that was consistent with the laws in effect at the time. This hack looks very similar to an attack that Snowden disclosed eight years ago. Credit: The Register

13 Security Bugs Impact Important Healthcare Devices

Researchers have published details of a suite of 13 vulnerabilities in the Nucleus real time operating system from Siemens that is used across many industries including healthcare, automotive and aerospace. Called Nucleus:13, the flaws affect the TCP/IP stack, a common attack vector in these type of operating systems. This revelation is part of a larger investigation into TCP/IP software which discovered 78 vulnerabilities in 14 different TCP/IP stacks. A different research team found 19 flaws in a different TCP/IP stack. Siemens has released patches for the current versions of the OS, but there is no way for an end user to know what version is in their medical device – that is until software bills of material become legally mandatory. Credit: Bleeping Computer

Security News for the Week Ending July 16, 2021

Supply Chain Attacks Roll On

The Accellion File Transfer Appliance vulnerabilities have been the source of many breach notifcations over the last several months. For whatever reason, they seem to be dribbling out. The newest one is Morgan Stanley. In this case, it was a Morgan Stanley VENDOR that was using Accellion, so instead of the third party attacks we talk about all the time, this is a fourth party attack. Of course, Morgan Stanley will take the heat, fines and lawsuits. Are you sure your vendors have your back? What about their vendors? Credit: Data Breach Today

Senate Finally Confirms Jen Easterly as Head of DHS/CISA

After CISA has not had an official chief for 8 months and after one Senator pulled a pre-July 4th political stunt that delayed her confirmation, the Senate unanimously confirmed Easterly this week. Easterly, who retired from the Army in 2011, was the deputy director for counterterrorism at the NSA, was on the National Security Council staff at the White House and is a two time Bronze Star recipient, is an outstanding person to lead CISA after Chris Krebs was fired last year for not following the party line. Credit: CNN

Did Russia Get the Message?

Remember the Revil ransomware gang? The folks that hacked Kaseya and JBS, among others? Well their web sites are no more. Did the U.S. take them down? Did Putin decide he didn’t like the heat? Will they come back later under a different name? Not clear. But what is clear is that people who were trying to get their files decrypted by paying the ransom – they have a bit of a problem as in kinda out of luck. My guess is Biden told Putin to fix the problem or we would fix it for him and he probably would not like the collateral damage. Credit: MSN

Hackers are Hard to Kill Off

Last year around election time the Pentagon was all full of press releases that they took down a Russian hacking operation called Trickbot. They have millions of victims around the globe. Bitdefender found that they are resurrecting their tools; updating them, etc. While Bitdefender found this particular tool using a honeypot, it doesn’t that was their only tool and it certainly does not mean they will shut down. It does mean that hacker networks are so profitable, that they will come back from the dead. Credit: The Daily Beast

Want a $10 Million Prize?

The feds are offering a reward of up to $10 million for information on operations conducted by actors working for a foreign government. On Thursday, the U.S. Department of State announced that its Rewards for Justice (RFJ) program now incentivizes reports of foreign malicious activity against U.S. critical infrastructure. The actions may include extortion as part of a ransomware attack, stealing information from protected systems, “and knowingly causing the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causing damage without authorization to a protected computer.” The feds set up a Tor site to report information confidentially. Credit: Bleeping Computer

Security News for the Week Ending January 10, 2020

Albany Int’l Airport Hit By Ransomware via MSP

In what is becoming an all too common story, the Managed Service Provider that supported Albany, NY’s airport, Logical Net of Schenectady, NY, was hacked and from there, the hackers were able to connect to the airports administrative network and infect it with REvil ransomware, the same ransomware that hit Travelex (see below).  I say supported because after the airport paid the under 6 figure ransom (? $99,000), they fired the MSP.  The ransomware encrypted the airport’s backups in addition to the live data.  Given that we are hearing about these attacks against outsourced service providers almost weekly, customers need to start putting pressure on these providers to improve their security.  Source: Bleeping Computer

Cyber Attack Events From Iran Nearly Tripled

Soon after the attack that killed General Soleimani, attacks originating from Iran were up 50% and grew from there.  Cloudflare says that for their little piece of the world Internet, there were a half billion attack attempts in a 48 hour period.  Source: MSN

Info on 56 Million U.S. Residents Sits Exposed – On a Server in China

This does not appear to be a hack.  22 gigabytes of data on 56 million U.S. residents is sitting exposed on a server in China.  The data appears to belong to CheckPeople.com, one of those for a fee information sites;  It is hosted on a web farm run by the Chinese giant Alibaba.  While this data is not super valuable, it could be useful for any number of foreign adversaries because of the volume and that whoever created it did all of the work of aggregating and organizing it.  Did CheckPeople license it to the Chinese? Or did the Chinese steal it?  Or does CheckPeople use servers in China?   If so, that is something we should stop.  Source: The Register

Travelex Woes Continues

NOTE: I am providing a bit of a blow by blow of the Travelex attack because it is a useful learning lesson for everyone on what to do, what not to do and how to communicate about it.  We usually don’t get as much direct information about these attacks are as are seeing here, even though most of the information is NOT coming from Travelex.

 

This has got to be one of the worst incident response examples I have seen since, say Equifax.  Really, really bad and getting worse by the day. They said this won’t have a material effect on their business, but that is hard to believe.

FRIDAY January 10, 2020

As of Friday night, Travelex’s website is still down.

Given the size of the organization, it is surprising that 10 days into the ransomware attack, the company is still offline.

According to Bleeping Computer, the hackers originally demanded $3 million not to sell Travelex’s data but have now upped the number to $6 million.

While Travelex’s public position is that no “structured” personal data has been  stolen, the hackers say that Travelex is negotiating a price with them.

Hackers behind the REvil ransomware say, on a Russian hacker forum, that if Travelex does not pay the ransom, they will sell the data on the black market.

As we watch this dumpster fire of an attack from a distance, one of the many lessons to learn is about alternate providers.  Travelex provides services to a number of banks such as Barklays, Lloyds and Westpac.  Those banks have had to shut down currency services to their customers.

As part of your disaster recovery and business continuity plan, you need to consider the impact on YOUR business not only if you are hit by a ransomware attack but what if one of your key providers is taken offline for a week or two or more from an attack.

In this case, the banks have had to refund customer orders and customers have gone to competing banks for their currency needs, possibly never coming back.

THURSDAY January 9, 2020

The NY Times is reporting that the hackers claim to have uploaded 5 gigabytes of “sensitive customer information” and have been in Travelex for 6 months.  They say that if Travelex doesn’t pay them $6 million by January 14th, they will publish the data (AKA Ransomware 2.0).  Their web site is still down. Banks like Barclays and Royal Bank of Scotland that use Travelex as their foreign currency provider are also still down.

WEDNESDAY January 8, 2020

Travelex finally admitted they were hit by the REvil ransomware.  London’s Met (Metropolitan Police) said that their elite cyber team was not contacted until January 2, 3 days after the attack.

They are also saying that there is no EVIDENCE that STRUCTURED personal customer data has been encrypted.  I am not quite sure how to read between those lines.

They also say that, 9 days into the attack, they still don’t have a complete picture of all the data that was encrypted.

Their web site is still down, although there is a new press release on it, updated from the old one.

Finally, they say that they don’t currently anticipate any material financial impact from the breach.  (British Airways was fined $230 million for their breach – not counting lawsuits, remediation, etc.  Not sure what they are thinking).

TUESDAY January 7, 2020

The Travelex web site still shows the message that says they were hit by malware with no explanation and no expected up time.

MONDAY, January 6, 2020

I wrote in Last weekend’s newsletter that Travelex, who had an IT incident (likely ransomware, but unconfirmed), seemed to have recovered by last Sunday night.  At least their web site was back up.  It turns out that I spoke too soon and as of Monday, their website is still/again down.

Still being tight-lipped about things, information is leaking out around the edges – something that businesses would be well advised to understand.   They cannot keep these things under wraps.

What we do know is that booths at airports are still operating, although they are doing it with a pen and a pocket calculator.

Travelex says that they don’t know when things will be back online.  I assume this means that people who took Travelex’s advice and put their money in a Travelex cash card still do not have access to their money.  This is the perfect stuff for lawsuits – actual harm.

The Register is reporting that Travelex had/has public facing Windows servers with Remote Desktop Protocol (RDP) enabled with no network authentication.  This is kind of like playing Russian Roulette with 5 live bullets – not recommended.

The servers are running Windows Server 2008 R2, which will be officially unsupported on January 15th – just a few days from now.  The servers are also running .Net 4.0.30319, which is also “rather old”.

I am sure that regulators on both sides of the Atlantic will be asking some uncomfortable questions.  This may also be a GDPR violation.

Stay tuned for details.  Source: The Register

Computer Weekly says the attack is ransomware, specifically the REvil Ransomware and the bad guys are asking $3 million for the decryption key.   They are also saying that Travelex waited 8 months to patch a critical flaw in Pulse VPN servers. Source: Computer Weekly.