Archive for January 17, 2022

Microsoft Discovers Destructive Malware Targeting Ukraine

Posted in Commentary with tags , on January 17, 2022 by itnerd

In a blog published Saturday, Microsoft says it has discovered  a destructive malware being used to corrupt systems of multiple organizations in Ukraine. Microsoft Threat Intelligence Center (MSTIC) first discovered the ransomware-like malware on January 13:

While our investigation is continuing, MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups. MSTIC assesses that the malware, which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.

At present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues. These systems span multiple government, non-profit, and information technology organizations, all based in Ukraine. We do not know the current stage of this attacker’s operational cycle or how many other victim organizations may exist in Ukraine or other geographic locations. However, it is unlikely these impacted systems represent the full scope of impact as other organizations are reporting.

Given the scale of the observed intrusions, MSTIC is not able to assess intent of the identified destructive actions but does believe these actions represent an elevated risk to any government agency, non-profit or enterprise located or with systems in Ukraine. We strongly encourage all organizations to immediately conduct a thorough investigation and to implement defenses using the information provided in this post. MSTIC will update this blog as we have additional information to share.

Given the current tensions between Russia, Ukraine, and NATO countries, it wouldn’t be too far of a stretch to say that the Russians are behind this.

Saryu Nayyar, CEO and Founder, Gurucul had this comment:

“As noted, this is not atypical ransomware as it overwrites the master boot record. Nation state threat actors usually have three objectives, spying for intelligence, intellectual property theft, and disruption/destruction. Clearly this is the latter as these threat actor groups aren’t interested in simple financial gain. What is of note is the malware propagates through publicly available code used for lateral movement and execution. Part of that execution is downloading of file corruption software from a Discord channel. This is where it is critical to employ adaptive machine learning and behavioral detection found in true next generation SIEMs identifying the lateral movement and connection attempts to Discord. In addition, identity and access analytics are extremely useful here to determine unusual or unauthorized remote access. The combination of the two goes beyond sifting through traditional IoCs that can easily be missed or escalated by traditional SIEMs or XDR tools.”

It also wouldn’t be too much of a stretch to suggest that we can expect to see more use of this type of malware as this political crisis continues.

UPDATE: Saumitra Das, CTO and Cofounder of Blue Hexagon had this comment:

“The tactics used in this attack seem to focus on disruption rather than moneymaking. Wiping the MBR causing systems to go down is not beneficial to criminal gangs out to make a quick buck but very effective for nation states as a provocation or tool used for larger aims. Usually, malware that extorts based on disruption does not usually make the system inoperable but merely throttles it.”

Guest Post: Almost 6 billion accounts affected in data breaches in 2021 Says Atlas VPN

Posted in Commentary with tags on January 17, 2022 by itnerd

The year 2021 was record-breaking in terms of the sheer size of data breaches. According to the data collected and analyzed by the Atlas VPN team, 5.9 billion accounts were affected by data breaches throughout 2021.

Atlas VPN has retrieved and calculated the numbers of breached accounts based on multiple publicly available sources. The total count includes worldwide data breaches that took place from January 1st, 2021, to December 31st, 2021.

February saw the biggest data breach of all-time  COMB, or in other words, the Compilation of Many Breaches, which is responsible for the leak of a whopping 3.2 billion unique cleartext email and password combinations. 

The breach was named this way because it is not a result of a single hack of a specific organization but rather combines leaked data from a number of different breaches spanning five years, including Netflix, LinkedIn, and others. The breached data was first offered for sale on RaidForums, an underground database sharing and marketplace forum, for just $2 in February.

Other breaches that made it to the top five biggest data leaks of 2021 include LinkedIn (700 million people), Facebook (533 million people), Brazil’s Ministry of Health (220 million people), and SocialArks (214 million people).

Cybersecurity writer and researcher at Atlas VPN Ruta Cizinauskaite shares her thoughts on 2021 data breach trends:

“Even with data breaches becoming a growing threat, it seems organizations are still not putting enough effort in protecting the personal information of their users. One of the first things every organization should do is evaluate the amount of sensitive user data it collects — the less sensitive data is stored, the lesser the risk of it being leaked.”

To read the full article, head over to:

Florida Hospital Employee Largely Stops A Ransomware Attack In Its Tracks

Posted in Commentary with tags on January 17, 2022 by itnerd

I have been saying for years that you have to have more than tech to stop a ransomware attack. You have to have employees who are trained to spot an attack and do the right thing. And this CNN Story illustrates this:

The emergency room of Jackson Hospital, a 100-bed facility on Florida’s panhandle, called to report that it couldn’t connect to the charting system that doctors use to look up patients’ medical histories. Jamie Hussey, Jackson Hospital’s IT director, soon realized that the charting software, which was maintained by an outside vendor, was infected with ransomware and that he didn’t have much time to keep the computer virus from spreading. The hospital shut down its computer systems on his advice.

“If we hadn’t stopped it, it probably would’ve spread out through the entire hospital,” Hussey said. Hospital staff ditched the electronic records and reverted to pen and paper to keep the hospital running and organized, he said, but patient care wasn’t disrupted.

As Hussey spoke to CNN Tuesday, the hospital’s IT systems were gradually coming online, and he was expecting phone calls from the FBI (which investigates hacking incidents) and Aon, a cybersecurity consultancy that Hussey said was supporting the recovery. He was trying to figure out if the hackers had stolen any hospital data, and if they might need to be paid off to get it back.

Now to be clear, he wasn’t 100 percent successful in stoping the attack, but it could have been far worse:

The emergency room’s charting system could be offline for the rest of the week, he said. (Doctors have been getting ER patient records from other parts of the hospital network). 

The entire hospital had to temporarily switch to what medical professionals call “downtime procedures” — contingency plans after Hussey’s team shut computers down. For several hours, things like physician notes and prescriptions for patients were processed by hand. 

The attackers also encrypted a computer server that Jackson Hospital uses to store non-critical organizational documents. Hussey was trying to figure out if there was anything in those files that contained data on Jackson patients and, if so, if the hospital should pay a ransom to get them back (he said he wasn’t aware of any ransom demand from the hackers).

Hopefully he doesn’t pay the scumbags a single dime as if there’s no profit in it, these hackers will move on to something else. And his method to get back online is one that other organizations should copy:

The recovery process at Jackson Hospital has been meticulous to ensure that malicious code isn’t lingering in some neglected part of the network. Hussey’s team went down the list of computer systems across the hospital, starting with the most critical, and made sure they weren’t infected with ransomware. They physically disconnected the hospital’s electronic health records system from the rest of the computer network to check them for malicious code before reconnecting to the system.

By Wednesday, hospital computers were back online except for the charting systems used by the ER.

Hussey said the decision to shut computer networks down may not be popular with some hospital staff, “but it’s better to be down a day than be down a month.” 

“Lock it down and piss people off,” Hussey, who has worked at Jackson for over 25 years, said in a Southern drawl. “It’s what you have to do just to secure your network.”

Agreed. This story highlights that all organizations need to be prepared for a ransomware attack. Be it with tech, and training. It may be the difference between a short term annoyance and a catastrophic event.