The IT Nerd

The CISA and the FBI yesterday released a joint advisory warning on an unnamed Iranian Government-Sponsored APT which breached the Federal Civilian Executive Branch (FCEB) organization to deploy XMRig crypto mining malware. This was done by compromising the federal network after hacking into an unpatched VMware Horizon server using an exploit targeting the Log4Shell remote code execution vulnerability.

Yaron Kassner, CTO and Co-Founder, Silverfort had this to say:

     “The alert from CISA is evidence of the unfortunate legacy we were warned to expect from Log4Shell at the time of its discovery. It is a gift to state actors and access brokers and this attack is proof of the impact critical vulnerabilities such as this can have when left unpatched .“As we see here, once a toehold is gained – attackers are then able to simply pick up administrator credentials and use them to move laterally, before eventually compromising the entire domain.”

“This emphasizes the need for MFA inside the network, which was clearly missing here. Hopefully, crypto-mining was the sole outcome of this attack and not more than that.”

The take home message is that if you haven’t got your exposure to the Log4Shell vulnerability under control, you will get pwned. Thus you should get about making sure that you’re not the next victim of some threat actor taking advantage of Log4Shell.

Last week word started to filter out that Canadian grocery chain Sobeys got pwned by ransomware. The chain claimed that they had an “IT issue”, but by the end of the week there was proof that they had been pwned. Now CBC News is giving us an inside look at the chaos that ensued after the chain was pwned:

“Somebody higher up got an email and basically clicked a link they weren’t supposed to,” said the front-end Safeway employee. “I don’t know the exact dollar figure, but I know it was like millions, like several millions.”

The troubles began overnight Thursday, Nov. 3 into Friday, Nov. 4.

When employees arrived for work on Friday, their computers took longer than usual to boot up, and when they finally did, “nothing came up other than this big white block in the middle of the screen that said ransomware, please comply before proceeding, or something like that,” said a worker in a meat and seafood department at a Safeway store.

“I saw the word ransom and that scared me right away.”

And:

The computer issues have also disrupted Empire’s ability to maintain its usual scheduling and payroll systems.

“I literally went into work and there was like a schedule written down on a piece of paper and I’m like, what is this?” said a worker.

Some employees are being asked to write down their hours in a logbook.

Employees in the chain are paid every other week, and some were told last week they would not get paid last Thursday, their scheduled payday.

However, workers later told the CBC the company found a workaround: since the first week of the two-week pay period occurred before the ransomware attack, employees would receive the same amount of pay for the second week, even if they did not work the same number of hours. Each employee also received an extra $100 on Thursday to compensate for any extra hours they may have worked the second week.

Once the payroll system is functioning again, any worker who was overpaid will be expected to return overpayments.

And:

Many customers are likely unaware of the difficulties employees are dealing with. But some impacts have been clear.

On the first day of the outage, some self-checkout machines weren’t working.

“The lineups at the tills, because people aren’t used to that and we pump a lot of people through these self checkouts — so, a lot of pissed-off customers over that,” said a Safeway worker.

Customers have been unable to use gift cards or redeem Scene loyalty points, and stores have been unable to process Western Union transfers — causing frustration for some, one employee said. 

The company has not officially told employees the cause of the outage. They have been instructed to simply tell customers it’s an IT issue.

“You kind of feel bad having to like just you know, water it down, what’s really going on, to customers,” said an employee. “You feel like you’re deceiving everybody because there’s more going on behind the doors than what they’re trying to make it out to be.”

This shows the sort of carnage that being pwned by ransomware can cause. It also shows what happens when you don’t have a remediation strategy in place in case you do get pwned. Clearly Sobeys had a huge hole in their cybersecurity plan. Or they didn’t have a plan. Either way, I say parliament should find out. Sobeys is the second largest grocery retailer in the country, which means that this is a non-trivial event. And Canadians deserve answers as to how and why they got pwned and how they will avoid getting pwned again in the future.

Yesterday I spoke of Canadian packaged meat producer Maple Leaf Foods getting pwned in a cyberattack. They didn’t have a lot of details, but it was clearly bad enough that they had to admit that it happened. Now BlogTO is reporting that Canadian grocery store chain Sobeys appears to have also been pwned as well:

A Sobeys employee who wishes to remain anonymous tells blogTO that the company was indeed “hit with a ransomware attack,” adding that “all our computers were down with a message on screen demanding payment or else files were going to be uploaded online.”

“Along with our computers being down, our smart carts and self-checkouts were also down. Today, November 5, when I came into work, I found out that all Sobeys stores, including other stores under the Sobeys umbrella, are affected by this attack.”

BlogTO isn’t the only ones reporting on this. A YouTuber named “Pupsker” is reporting the same thing:

Assuming that this is accurate, and I have no reason to believe that this isn’t accurate, 1500 stores were affected. Making this a non-trivial event. Given how big this potentially is, Sobeys will have to comment at some point. And it will be interesting to see what they say.

For those of you outside of Canada, Maple Leaf Foods is the biggest packaged meat producer in the company. If you go into any supermarket in the country, you will see their products. And over the weekend, they apparently got pwned in a cyberattack. Here’s their statement:

Upon learning of the incident, Maple Leaf Foods took immediate action and engaged cybersecurity and recovery experts.  Its team of information systems professionals and third-party experts are working diligently with all available resources to investigate the outage and resolve the situation.   The Company is executing its business continuity plans as it works to restore the impacted systems; however, it expects that full resolution of the outage will take time and result in some operational and service disruptions.  The Company will continue to work with all its customers and suppliers to minimize these disruptions in order to continue delivering the nutritious food people need.  

That’s literally all their statement said. I’ve been poking around the places that I usually look for this sort of thing and I don’t see any mention about Maple Leaf Foods being pwned. But it will be interesting to see whom claims responsibility for this, and if this affects the food supply in Canada.

Watch this space.

Continental is one of, if not the largest tire company in the world. I’ve had their tires on my bikes and a couple of cars that I’ve owned. Too bad for them that Lock Bit claims to have pwned them in a ransomware attack:

The LockBit ransomware gang has claimed responsibility for a cyberattack against the German multinational automotive group Continental.

LockBit also allegedly stole some data from Continental’s systems, and they are threatening to publish it on their data leak site if the company doesn’t give in to their demands within the next 22 hours.

The gang has yet to make any details available regarding what data it exfiltrated from Continental’s network or when the breach occurred.

It is possible that this is linked to a security breach in early August. But that’s hard to say. The 22 hours should be up at any time so I guess we’ll find out what Lock Bit has access to. But this illustrates the current nature of ransomware gangs. Get in, steal data, and threaten to leak it if one doesn’t pay up. Thus companies need to be ready to ideally prevent being victims of this sort of activity.

New research from Group-IB on OPERA1ER shows the threat group has stolen at least $11 million from banks and telecommunication services providers. The OPERA1ER obtained initial access via phishing emails and would spend 3 to 12 months inside compromised networks, performing lateral phishing attacks and studying internal documentation to understand money transfers.

Mike Fleck, Senior Director of Sales Engineering at Cyren:

     “Combining phishing, malware, and account takeover is a common attack chain. What seems to differ is the motivation of the attackers. A bad actor doing a “spray and pray” campaign will grab whatever data is available once they’ve takeover an account (e.g. recent GitHub account compromise at Dropbox). However, it’s the determined and targeted attacks that pivot off the initial access to launch a more profitable/damaging follow on. Regardless, phishing remains an unsolved issue and a precursor for data breaches and financial losses.”

Clearly OPERA1ER is a dangerous group that needs to be monitored as I can see them evolving to be even more dangerous over time. In the meantime, the report is very much worth your time to read.

UPDATE: Dr. Darren Williams, CEO and Founder, BlackFog had this comment:

     “The Ransomware as a Service model is alive and well and is now the defacto standard for cybercriminals. This gives hackers the ability to leverage the best tools available at any moment in time for a percentage of the takings. This latest attack with gains of $11m just proves how viable this model really is. It also clearly demonstrates that existing EDR based solutions offer too little, too late to really protect the organizations key asset, its data. As we can see from these attacks, once a hacker has gained access to the network, lateral movement and data exfiltration plays a key role in the success of the attack. Organizations should be focused not only on defensive approaches, but also on anti data exfiltration to protect any possible lateral movement or data loss to prevent any attempt of data extortion.”

Dropbox has disclosed a security breach after a threat actor stole 130 code repositories after gaining access to a GitHub account using employee credentials stolen via a phishing attack. 

At Dropbox, we use GitHub to host our public repositories as well as some of our private repositories. We also use CircleCI for select internal deployments. In early October, multiple Dropboxers received phishing emails impersonating CircleCI, with the intent of targeting our GitHub accounts (a person can use their GitHub credentials to login to CircleCI).

While our systems automatically quarantined some of these emails, others landed in Dropboxers’ inboxes. These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site. This eventually succeeded, giving the threat actor access to one of our GitHub organizations where they proceeded to copy 130 of our code repositories. 

These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team. Importantly, they did not include code for our core apps or infrastructure. Access to those repositories is even more limited and strictly controlled.

On the same day we were informed of the suspicious activity, the threat actor’s access to GitHub was disabled. Our security teams took immediate action to coordinate the rotation of all exposed developer credentials, and determine what customer data—if any—was accessed or stolen. We also reviewed our logs, and found no evidence of successful abuse. To be sure, we hired outside forensic experts to verify our findings, and reported this event to the appropriate regulators and law enforcement.

Mike Fleck, Senior Director of Sales Engineering at Cyren had this to say:

     “This is another reminder that phishing is an unsolved problem. Attackers are continuously updating their credential harvesting tactics, now with the ability to defeat common forms of MFA. By having the employee enter their username, password, and one-time token, the attacker easily had access to any privileges that employee had. Employees will always receive convincing but fraudulent emails. Submitting users to security awareness training with the expectation they will spot all of these attacks is unrealistic. Businesses need to use additional layers of email security to automate the hunting and removal of these social engineering attacks.”

I would add that this is why a move to something like passwordless authentication might be worth considering as it cuts off this attack vector. I say that because based on what Dropbox has said in its disclosure, the threat actor used the law of averages in their favour to break in. And what companies need to do is to cut off as many attack vectors as possible to avoid being pwned by hackers.

Michigan Medicine has notified patients of an employee email account breach which exposed health information of about 33,850 patients. 

From August 15^th through August 23^rd, a cyber attacker targeted Michigan Medicine employees with an email phishing scam, luring employees to a webpage designed to get them to enter their Michigan Medicine login ingo. Four employees entered their info and then inappropriately accepted MFA prompts, allowed the attacker to access their email accounts.

Ooops.

John Stevenson, Director of Product at Cyren had this to say:

     “The fact that four separate employees followed the phishing link and accepted multi-factor authentication prompts shows how sophisticated these attacks can be. It is as a stark reminder that phishing continues to plague the healthcare industry. Of the 684 breaches of healthcare data reported to the US Government, 41% of them resulted from email incidents. The majority of those email incidents (74%) were from phishing vs. malware or accidental disclosure.

Many companies might blame the user in situations such as this for not heeding the lessons of the corporate Security Awareness Training (SAT) program. However, the reality is that SAT must be augmented with the right inbox security. What is needed is additional assistance for the user such as Scan and Report buttons within the Outlook inbox that empower the user to put the lessons learned from SAT into practice then and there, taking a proactive approach to email security.”

This illustrates the fact that people are the weakest point in cybersecurity. And organizations need to focus on making that a non factor to stop incidents like this from happening.

Vinomofo, an Australian wine dealer, suffered a cyber attack after a third party accessed their database on a testing platform, according to the company Chief Executive. Vinomofo’s 500k customers are at risk of having names, DOBs, addresses, email addresses, phone number and genders leaked. Vinomofo has stated they do not hold identity or financial information of their customers and no passwords were accessed. Which is cold comfort to anyone who’s been affected by this.

Dr. Darren Williams, CEO and Founder, BlackFog had this comment:

     “This attack is the latest in a string of occurrences aimed at Australian businesses. As we can see, small businesses are just as vulnerable to cyberattacks as larger enterprises. We are seeing a growing trend where threat actors are focusing on organizations with weak cybersecurity posture as they are easy prey. If Australian companies fail to invest in preventative cybersecurity measures, they will surely begin to see the country rising in the ranking of the most attacked countries. Although this particular attack has not yet revealed banking information, any leaked customer data will undoubtably have serious consequences. When it comes to preventing these types of cyberattacks and breaches, organizations must take a new approach, only by preventing data exfiltration can they really ensure their data and that of their customers is truly secure.”

The other Australian businesses who have been pwned lately include Optus and Medibank. Clearly the government in Australia needs to do more to force companies to have better defences against this sort of thing. I say that because clearly the status quo is not working.

It came to light on Friday that Tata Power who is part of the massive Tata group got pwned by hackers. Not a whole lot is known about the extent of this hack. But:

The company has taken steps to retrieve and restore the systems, it informed. All critical operational systems are functioning; however, as a measure of abundant precaution, restricted access and preventive checks have been put in place for employee and customer facing portals and touch points, it added.

I have a comment from Darktrace Analyst Hanah Darley:

From the available information, Tata Energy will likely have implemented Multi-Factor Authenitcation (MFA) in response to the cyber-attack which is an effective method of imposing additional controls on who can access organisational networks. Unfortunately, it is not a guarantee that implementing MFA will resolve a breach if a hacker has maintained access gained before the MFA was in place and we have seen recently that MFA companies can themselves become targets in attacks.

Tata Energy have made it clear that their critical operational systems are still functioning, meaning that while the breach effected IT infrastructure, their OT system are still working. Depending on how the breach occurred, there are multiple ways that only certain portions of their digital estate was affected while leaving other portions untouched, depending on how much the attackers were able to move laterally or how interconnected their systems are. Critical national infrastructure, especially industrial systems tend to involve legacy software and have difficulty maintaining patches for software, which inherently make them more vulnerable than the average organisation. Hackers are increasingly demonstrating their willingness to exploit this for their own malicious purposes.

I am sure that additional details will come out in the days ahead as Tata isn’t a small company and details will usually filter out sooner or later. Watch this space for details.