Archive for Hacked

DeadBolt Ransomware Targets QNAP Devices In The Latest Ransomware Attack On QNAP Devices

Posted in Commentary with tags , on January 26, 2022 by itnerd

If you own a QNAP NAS like I do, you’ve likely seen reports of various ransomware attacks on these devices over the last few months. The latest of these attacks is the DeadBolt ransomware which started to appear yesterday. It claims to leverage a zero day exploit and encrypts all your files unless you pay 0.03 bitcoins (approximately $1,100 USD). But as usual, paying the ransom will not guarantee that you get your files back.

One thing that’s unique about this latest ransomware strain is that the threat actors are also targeting QNAP:

On the main ransom note screen, there is a link titled “important message for QNAP,” that when clicked, will display a message from the DeadBolt gang specifically for QNAP.

On this screen, the DeadBolt ransomware gang is offering the full details of the alleged zero-day vulnerability if QNAP pays them 5 Bitcoins worth $184,000.

They are also willing to sell QNAP the master decryption key that can decrypt the files for all affected victims and the zero-day info for 50 bitcoins, or approximately $1.85 million.

“Make a bitcoin payment of 50 BTC to bc1qnju697uc83w5u3ykw7luujzupfyf82t6trlnd8,” the threat actors wrote in a message to QNAP.

“You will receive a universal decryption master key (and instructions) that can be used to unlock all your clients their files. Additionally, we will also send you all details about the zero-day vulnerability to security@qnap.com.”

That’s novel.

This follows other ransomware attacks on QNAP devices. Specifically Qlocker and eCh0raix which have been around for a while. All of these ransomware strains have one thing in common. They target Internet exposed QNAP NAS devices. Thus your first course of action needs to be to take your QNAP NAS off the Internet and stick it behind a firewall. These instructions can help you with that. Your next course of action is to follow these instructions which have suggestions from QNAP as to their suggestions to secure your NAS. Now in my case, my NAS isn’t exposed to the Internet. In fact it never has been as I’ve always considered that to be a massive security risk. I also run QNAP’s Malware Remover to add an extra level of security.

But that doesn’t change the fact that QNAP clearly has some serious security issues that allow these ransomware attacks to take place as I don’t hear about similar attacks from other NAS vendors. Thus it would make sense for me to consider purchasing another brand of NAS as clearly QNAP NAS devices have some extremely serious security issues that clearly haven’t been addressed. Which means that QNAP really needs to step up their security game or more bad things will happen to them. Such as lost market share.

Canada’s Foreign Affairs Ministry Pwned By Hackers…. Russia Suspected

Posted in Commentary with tags , on January 25, 2022 by itnerd

Late yesterday it came to light that Foreign Affairs Canada had been hit by some sort of cyberattack with pretty serious consequences according to Reuters:

The incident was detected last Wednesday, a day before Canada’s signals intelligence agency said network operators of critical infrastructure should boost their defenses against Russian state-sponsored threats.

“Critical services … are currently functioning. Some access to internet and internet-based services are currently not working,” said a statement from the Treasury Board, which has overall responsibility for government operations.

As you can tell from that statement, the suspicion is that Russia is behind this. Which isn’t a surprise with their actions against Ukraine and the tensions that it created. Canada doesn’t typically comment on these sorts of things. But I suspect that we’ll hear more about this in the coming days.

UPDATE: Chris Olson, CEO of The Media Trust, had this comment:

“As highlighted by recent events, the ability to disrupt digital channels has become a strategic weapon in today’s geopolitical environment. Shutting off or redirecting websites/mobile apps harms not only consumers looking to access those services but also revenue and communication channels for business and government entities. Avoiding this scenario requires continuous monitoring of client-side experience to detect anomalous activity (domains, vendors) before it propagates and causes extensive damage. Establishing and maintaining digital trust and safety is a priority in 2022.”

UPDATE #2: Saryu Nayyar, CEO and Founder, Gurucul had this comment:

“As Canada’s own intelligence agencies have recommended just prior to the attack, organizations need to upgrade their security capabilities in lieu of potential Russian attacks. Outside of even nation state threats, threat actor groups continue to evolve their campaigns. However, despite existing investments in perimeter and defensive solutions, endpoint, XDR, and SIEM, threat actors are still evading these tools successfully. With stolen credentials and phishing attacks being used to get inside networks easily, upgraded solutions that offer behavioral based threat detection along with adaptable machine learning (ML), not rule-based, and true artificial intelligence models found in a small set of next generation SIEMs are critical to stop these multi-staged attack campaigns.”

Cisco Talos Takes A Looks At ‘WhisperGate’ Wiper Malware Used In Ukraine

Posted in Commentary with tags on January 24, 2022 by itnerd

Researchers with Cisco Talos have broken down the WhisperGate wiper malware used in Ukraine to deface websites, noting similarities between the ‘WhisperGate’ dubbed malware and the previously seen NotPetya wiper. Cisco Talos reports that while there are similarities, WhisperGate has more capabilities ‘designed to inflict additional damage’ using multiple wipers to successfully attack different modern systems.

Saryu Nayyar, CEO and Founder, Gurucul had this comment:

“Stolen credentials being abused continues to be a major factor in many malware campaigns. However, identity infrastructure is insufficient to prevent seemingly legitimate users from doing damage. User access analytics with advanced machine learning models that understand how users are engaging in abnormal behaviors which we can then clearly attribute to a malware attack with high confidence. Only a next generation SIEM with these specific capabilities can help security teams with a critical vector of many major attack campaigns in order to accelerate an appropriate response.”

Cisco Talos recommends this mitigation strategy:

Cisco Talos supports the recommendations made by CISA that organizations with interests in the area carefully monitor and isolate systems with connections to Ukraine due to the ongoing challenges they face. This mirrors the recommendations we made in 2017 shortly after NotPetya and our analysis of the malware’s effects.

If that’s you, I would take their advice and run with it.

UPDATE: Chris Olson, CEO, The Media Trust had this to say:

“New reports on the ‘WhisperGate’ malware prove that global cyber actors are becoming more sophisticated, more dangerous and better at evading detection. As web-based attacks become increasingly intertwined with political motives, we expect a rise in similar incidents targeting government agencies, big corporations and critical infrastructure.”

“It’s crucial for decision makers to realize that Web is a powerful threat vector: more powerful than email, and other traditional channels for cyberattacks. Going forward, continuous monitoring of digital assets is the only way to stay safe, collect evidence, and keep up with a constantly shifting cyber landscape.”

UPDATE #2: Bryson Bort, Founder & CEO, SCYTHE had this to say:

“WhisperGate reflects the gray area of destruction and disruption that nation state actors use as a lever in realpolitik: in this case, Russia is using these tactics because there is no reprisal they fear from Ukraine and her allies while making a clear threat of more. Expect more. And, the rest of us can only hope the collateral damage is contained.”

Dark Souls Servers Taken Down To Prevent Hacks Using Critical Remote Execution Bug

Posted in Commentary with tags , on January 24, 2022 by itnerd

Dark Souls, the popular video game, has reportedly taken down their servers to prevent hacks via some critical bugs that could allow bad actors to take control of your PC. According to reports on Reddit, the vulnerability is a remote code execution, which could allow attackers to take control of users’ systems, gain access to sensitive info, plant malware or use resources for crypto mining. Dark Souls confirmed the temporary deactivation of Twitter.

There is currently no indication when things will come back online.

I have a pair of comments to share. First is from Saryu Nayyar, CEO and Founder, Gurucul:

“The risk of remote worker networks is very apparent from this attack. As we connect our gaming systems to the same network as resources that attach to the corporate network, the infection can easily spread from home to a much bigger operation. It is critical for security teams to understand how users are accessing network resources but incorporate that information into risks and severity associated with attack campaigns. This is where identity and specifically access analytics incorporated into next generation SIEM can narrow down indicators of compromise and determine malicious behaviors hiding as authorized user activity.”

The second is from Jorge Orchilles, CTO, SCYTHE:

Remote code execution (RCE) vulnerabilities aren’t new or rare but they are dangerous when no one knows they exist. We see threat actors use RCEs all the time, especially when the vulnerabilities do not have a patch available. Cybercriminals can use these vulnerabilities to execute malicious code in the application to gain access to the underlying system for fun and profit. Companies impacted by these types of vulnerabilities need to take immediate action to protect their customers by releasing patches. Meanwhile, gamers affected should monitor their systems for abnormal activity such as crypto-miners.

Taking this game offline, at least partially is the right move. Hopefully that Bandai Namco who make the game are able to fix this issue, bring the service back online, and assure users that the only pwnage that will take place is related to the game.

Red Cross Pwned…. Data On 515K People Swiped

Posted in Commentary with tags on January 20, 2022 by itnerd

It seems that the International Red Cross has been pwned by hackers. The Organization says that they were victims of a “sophisticated cyber-attack” and that data on 515,000 “highly vulnerable” people have been stolen. The BBC has details:

The Geneva-based body said the hackers had targeted an external company in Vienna the ICRC uses to store data.

There is no sign the data has yet been leaked, but the ICRC has had to shut down the system it uses to reunite families separated by war.

ICRC Director-General Robert Mardini said the hack put vulnerable people at greater risk.

“An attack on the data of people who are missing makes the anguish and suffering for families even more difficult to endure,” Mr Mardini said.

“We are all appalled and perplexed that this humanitarian information would be targeted and compromised.”

And he called on those responsible to “do the right thing – do not share, sell, leak or otherwise use this data”.

Well good luck with that because clearly that data is valuable to somebody. And on top of that, the data was swiped from an external company. Which highlights the fact that if you store data with third parties, you all have to be on the same page as to how that data is secured. Otherwise bad things will happen. As is the case here.

The bottom line is that this is not a good situation for anyone.

UPDATE: I have a comment from Darktrace’s David Masson, Director of Enterprise Security:

“Most cyber-criminals steal personal data to monetize the information, but what financial gain could possibly be derived from stealing the personal information of some of our world’s most vulnerable people? This cyber-attack is an unfortunate and devastating example that no one and no organization is immune to cyber harm. The fact that the Red Cross is appealing to the attackers to return the stolen data indicates that it is no longer under the organization’s control, safe-keeping, and trust.  

While reputational damage will be a concern for an organization, it pales compared to the potential harm that may come to already highly fragile individuals and groups. If the attackers do not return the data, then hopefully, the Red Cross receives the aid and support it needs to find and secure the information quickly, start delivering much-needed reassurance to those who rely on the organization, and get its “Restoring Family Links” program back up and running soon.”

UPDATE #2: I got a comment from Saumitra Das, CTO and Cofounder, Blue Hexagon:

“It is critical for organizations to not just worry about their cyber hygiene but also third parties that they use to store their data or host their services including large cloud service providers. Even if you are well secured, your data can still be breached by attacks on third parties. It is critical to evaluate the security controls and not just compliance policies of third parties an organization works with whether they provide appliances, SaaS services, hosting or infrastructure as a service.”

UPDATE #3: Elizabeth Wharton who is the VP, Operations for SCYTHE added this comment:

The disclosed impacted data is attractive to cyber criminals for use in perpetuating fraud, among other possibilities. The data is difficult to protect and can be used for identify theft, for example. These vulnerable populations likely don’t have the resources to follow up and clear the discrepancies due to financial or perhaps personal safety reasons. 

UPDATE #4: Saryu Nayyar, CEO and Founder, Gurucul had this comment:

“This is an ugly attack on individuals and families by threat actors. While the extent of the purpose is unclear, it shows that no organization is safe regardless of the nobility of the cause. Charitable organizations are at least as understaffed as enterprises when it comes to security personnel and resources.  They must augment their security capabilities while keeping costs low. This requires moving to solutions that have true machine learning (ML) and artificial intelligence (AI) engines and advanced analytics to help them automate both threat detection and incident response (TDIR). It also requires a cost structure that allows for flexibility and scale across cloud, on-premise and remote environments without escalating capital and operational expenditure significantly.”

Ukrainian Government Websites Hit With Cyberattack

Posted in Commentary with tags on January 14, 2022 by itnerd

BuzzFeed Correspondent Christopher Miller is reporting on Twitter that several Ukrainian Government websites have been hit with some sort of a cyberattack.

The websites of several government departments including the ministry of foreign affairs and the education ministry have been taken out by this attack.

Elizabeth Wharton who is the VP Operations for SCYTHE had this to say:

This is not surprising. It’s cyber harassment typical with Russian active measures doctrine, which uses disinformation, propaganda, and deception in an attempt to influence world events and disrupt governments.

Saryu Nayyar, CEO and Founder, Gurucul had this to say:

“Nation state threat actors continue to take an active involvement in destabilizing infrastructure, governments, and businesses whether for profit or pure political objectives. Security can no longer continue to be an insurance policy. It must become a critical part of the infrastructure at every step. World governments must start funding and investing in cyber security training, educational programs, and awareness. In addition, without continuous evaluation and investment in next generation security technologies that optimize security operations, threat actor groups will continue to be able to disrupt governments and economies.”

Given the tension between NATO nations and Russia at the moment, it will not be surprising to see more attacks like this in the coming days.

UPDATE: I have additional commentary from Toby Lewis, Head of Threat Analysis at Darktrace:

“It’s too early to discuss technical details – but right now, an attack appears to have targeted and brought down several Ukrainian government websites. Governmental websites are typically built on common software which explains the domino effect of website shutdowns that we are seeing. We should be cautious around labelling this as a ‘sophisticated’ attack. Some cyber-attacks are more successful than others, some are advanced and others less so. A distributed denial of service (DDoS) attack for example, which is an attempt to bring down websites or networks by overwhelming the web server with internet traffic, is not particularly sophisticated and relatively easy to mitigate. Some of the website defacements, such as those left on the Education Website and the Ministry of Foreign Affairs, are designed to mimic “nationalist/separatist groups” with claims that the attack was done in the name of the UPA (Ukrainian Separatist Army) which has not existed for over 50 years. Attribution is impossible to do with digital data alone and it is not unlikely that this is a false flag to divert attention away from the true perpetrators, to stir up unrest or simply impact the credibility of the website owners. While some of the defaced websites are claiming that data was leaked to the public, the Ukranian Government is denying this and no leaked data has appeared yet. We will have to wait to see if more damage has been done beyond website defacement, but if the attacks really have access to sensitive data or have detonated ransomware, why would they shout the loudest about website defacement? Across our customer base we have seen use noisy attack techniques to distract security teams’ attention away from more stealthy attacks, it remains to be seen if that is the case here.”

UPDATE #2: Saumitra Das, CTO and Cofounder, Blue Hexagon had this to say:

“It is interesting that this is happening on the heels of the ReEvil arrests as well as right when the talks have ended in a stalemate. It shows how cyber warfare is becoming a major tool for nation states compared to augment conventional means. The arrest by the authorities related to the ReEvil group is a major win for law enforcement, but make no mistake, another group will attempt to fill the shoes and attempt to recycle the extensive network setup by the ReEvil group.”

BREAKING: REvil Apparently Shut Down By Russian Law Enforcement

Posted in Commentary with tags , on January 14, 2022 by itnerd

This comes as a bit of a surprise, and I have to admit that I am still somewhat skeptical at this. But word is hitting the wires that REvil who is best known for their high profile ransomware attacks and even grabbing the schematics of 2021 MacBook Pros has been taken down by Russian law enforcement. The FSB posted this early today announcing the arrests. But for the benefit of those who don’t read Russian, I have this translation for your reading pleasure.

While no doubt welcomed by some, this comes at a very convenient time given the tensions between Russia and the US as well as other NATO countries. My guess is that this is nothing more than a token gesture. Now if the Russians were willing to extradite these individuals to the US to face justice, then maybe I would take it more seriously. Thus I am going to take this announcement with more than a pinch of salt. 

Teen Claims To Have Pwned Tesla Cars In 13 Countries

Posted in Commentary with tags , on January 13, 2022 by itnerd

A 19-year-old claims to have hacked into more than 25 Tesla cars in 13 countries, saying in a series of tweets that a software flaw allowed him to access the EV pioneer’s systems.

David Colombo, a self-described information technology specialist, tweeted Tuesday that the software flaw allows him to unlock doors and windows, start the cars without keys and disable their security systems. Colombo noted that he could not drive the cars remotely.

Media reports can be found here and here.

Tesla hasn’t responded to this yet. But if this is true, this is a serious problem for Tesla. And it reminds me of a similar situation with GM’s OnStar where came up with a method to do something similar to OwnStar equipped cars which was dubbed “OwnStar”.

Morgan Whitlow, Sr. Security Researcher, www.grimm-co.com had this commentary:

“From what has been said by Colombo both in the original posts to social media and within interviews, it sounds like this might have been a vulnerability in Tesla’s mobile companion app or the related API. 

Many of the commands and functions he mentions line up with the mobile app’s features and capabilities; honking the horn, flashing the lights, unlocking the door, etc. This could explain how he’s able to perform certain commands on vehicles without being able to say, drive it around like a toy RC car, or having to be within a certain range; the app/API doesn’t support that level of control. 

If he’s found a way to exploit the app/API, or to login as the customer, then he’s essentially tricking Tesla’s backend servers that he’s the legitimate owner and they’ll carry out any app-allowable command just the same as they would normally. That said, it’s hard to say this with any certainty until we have more concrete information, but it’ll be interesting to watch it unfold. “

I’ll be watching this very closely as this is something that Tesla will have to respond to very quickly in order to keep their owners safe and confident about their rather expensive electric vehicles. Watch this space.

Grass Valley CA Pwned… Data Stolen

Posted in Commentary with tags on January 10, 2022 by itnerd

An investigation into a data breach attack of Grass Valley, California, has discovered city employee and citizen information was exposed. The breach, which occurred between April 13th and July 1st, 2021, resulted in an attacker transferring files outside of the network, including financial and personal info of “individuals associated with Grass Valley”.

I have some commentary from Saryu Nayyar, CEO and Founder of Gurucul on this attack:

“The ability to understand users, access and entitlements are essential in determining anomalous behaviors for determining whether access to and transmissions of sensitive data is actually the work of a malicious threat actor. Moving from traditional SIEMs and XDR tools to a next generation SIEM with XDR capabilities is critical as the initial activity, before data theft occurs, can be prioritized as a high-risk event based on a baseline of what is normal as well as monitoring for deviations that are indicative of an attack campaign, especially with adaptable Machine Learning (ML) models.”

It’s pretty clear that prevention and detection are the best ways to avoid being the next Grass Valley. Thus hopefully organizations of all sizes take note of this incident and plan their defences accordingly.

UPDATE: Elizabeth Wharton who is the VP Operations of SCYTHE

Municipalities struggle to identify and respond to data breaches, as I’ve experienced first-hand in the past. They suffer significantly from the cybersecurity skills gap, often with limited budgets. The cybersecurity industry needs to give them tools that help their teams gain experience with real-world threats so that they can continuously validate their processes and technologies, but it needs to provide them at a price-point that makes sense. 

Ravkoo Pwned In “Hilariously Easy” Hack

Posted in Commentary with tags on January 6, 2022 by itnerd

US online pharmacy Ravkoo has disclosed a data breach after the company’s AWS hosted cloud prescription portal was involved in a security incident that may have led to personal and health info being accessed. Ravkoo says it has found no evidence that customers’ SSNs were accessed, adding that it does not store SSN data on the affected prescription portal. What unique about this situation is that the alleged hacker is speaking out:

The data from the Cadence Health and Ravkoo sites was provided to The Intercept by an anonymous hacker who said the sites were “hilariously easy” to hack, despite promises of patient privacy. It was corroborated by comparing it to publicly available information. 

If anything is “hilariously easy” to hack, then clearly security wasn’t a top of mind concern.

I have commentary from two sources. The first is Aimei Wei, Founder and CTO of Stellar Cyber:

“Security considerations have become a mandatory part of application developments in today’s digital environment. Unfortunately, not every developer is a security expert. Using security scanning/ pen testing before the application is released is an absolute necessary for every application. However, having a continuous monitoring, threat detection and response system is your best line of defense.”

The second comment that I have is from Saryu Nayyar, CEO and Founder of Gurucul:

“Security solutions with cloud-native architectures that can monitor AWS or other cloud-hosted infrastructure for threat actor activity are critical for organizations to migrate to. In this particular case, an exposed admin interface was not exploited by malware or a sophisticated attack campaign, however user behavioral analytics and more importantly identity access monitoring would have quickly alerted Ravkoo’s security team to this cloud hack. In addition to cloud threat monitoring, organizations need a next generation SIEM that can also monitor for and identify anomalous behaviors based on the aforementioned software capabilities. “

The bottom line is this. You want to harden your environments to such a degree that nothing is “hilariously easy” to hack. Otherwise, you get this sort of bad press.