Archive for Hacked

Marriott Pwned Again… Over 5 Million Affected This Time

Posted in Commentary with tags on March 31, 2020 by itnerd

It seems that Marriott is unable to keep itself out of the news for all the wrong reasons. CNET among others is reporting that they’ve been hacked again. This hack affects at least 5 million guests. This follows a hack of Marriott property MGM Resorts back in February which leaked the details of 10.8 million guests. And that was on top of this absolutely epic hack from 2018. Here’s what happened this time around:

At the end of February, Marriott international said that it spotted an “unexpected amount” of guest information may have been accessed with the login credentials of two employees at a franchise property. The exposed information may include names, addresses, emails, phone numbers and birthdays.  Loyalty account details and information like room preferences may also have been breached. This is the second major incident to impact the hotel over a two year period. 

Clearly Marriott can’t get its act together when it comes to cybersecurity. It’s time that this hotel chain get slapped silly so that they get the point that they have to take cybersecurity seriously. Because they clearly don’t based on how often they get hacked.

Security Vulnerability In Millions Of Cable Modems Could Leave You Vulnerable To Pwnage By Hackers

Posted in Commentary with tags on January 13, 2020 by itnerd

Four Danish researchers have demonstrated how a hacker could exploit a  vulnerability in the firmware of some cable modems and completely hijack the modem to do whatever they want. The vulnerability which is called “Cable Haunt” is said to be present in way over 200 million cable modems worldwide and is described in this manner by the people who found it:

Cable Haunt is a critical vulnerability found in cable modems from various manufacturers across the world. The vulnerability enables remote attackers to execute abitrary code on your modem, indirectly through an endpoint on the modem. Your cable modem is in charge of the internet traffic for all devices on the network. Cable Haunt might therefore be exploited to intercept private messages, redirect traffic, or participation in botnets.

The vulnerable endpoint is exposed to the local network, but can be reached remotely due to improper websocket usage. Through malicious communication with this endpoint, a buffer overflow can be exploited to gain control of the modem.

The one thing that these cable modems have in common is that all the affected modems use Broadcom designed firmware. And updates to said firmware will be needed to close this vulnerability. The researchers note that there are presently no known attacks in the wild. But with the release of this report and the demonstration of how to exploit it, that is likely to change. Thus you have to hope that you haven’t been affected. To test if you could be vulnerable, there is a test script that you could run, but it’s not something that I would direct the general public to. Thus I am hoping that a more “user friendly” way to test for this vulnerability appears. That way it increases the pressure on ISP’s and modem manufacturers to get about fixing this.


If You Haven’t Patched Your Citrix Application Delivery Controller and Unified Gateway, You Might Already Be Pwned By Hackers

Posted in Commentary with tags , on January 13, 2020 by itnerd

Last month Citrix disclosed a critical security hole (CVE-2019-19781) in both its Application Delivery Controller and Unified Gateway (formerly known as Netscaler ADC and Netscaler Gateway). What’s bad about this security hole is that thousands of systems planet wide were thought to be at risk. BadPackets found a staggering 25000 of them without really trying too hard yesterday.

Well, if you haven’t patched this, then you might be in trouble. Researchers have now publicly shared working exploit code for the remote takeover bug. The proof-of-concept code can be used to trivially achieve arbitrary code execution with no account credentials. Which of course is bad. But what is worse is that attacks have apparently already begun. Which means that as I type this, you might already be pwned by hackers. Thus I would suggest that if you have a Citrix Application Delivery Controller and Unified Gateway, you might want to put down that coffee and check to see if you’re protected from this. And if you aren’t, I’d be apply patches ASAP. Plus I’d be taking a look at your IT infrastructure to see if the bad guys are already in and setting up shop.

VPN Vulnerability Actively Being Exploited In The Wild…. Yikes!

Posted in Commentary with tags , on January 9, 2020 by itnerd

If you have a Pulse Secure VPN, you should be aware of an urgent patch that needed to be applied back in April of last year. The vulnerability that this patch fixes is CVE-2019-11510 and can basically be abused to extract plain-text passwords, and other secrets, from networks without any authentication. Or put another way, it allows people without valid usernames and passwords to remotely connect to the corporate network the device is supposed to protect, turn off multi-factor authentication controls, remotely view logs and cached passwords in plain text. And that includes Active Directory account passwords.

In case you are wondering, that’s very, very bad.

Now let’s pretend for a second that you did not apply this patch last April. Or you didn’t know about it. Well you might be in deep trouble as there’s a group that is now actively exploiting this vulnerability to pwn networks with ransomware. The latest victim to get pwned so far is UK based Travelex according to this article:

Travelex, the foreign currency exchange and travel insurance company, appears to be the latest victim of the group. On New Year’s Eve, the company was hit by Sodinokibi ransomware, also known as REvil. The ransomware operators contacted the BBC and said they want Travelex to pay $6m (£4.6m). They also claimed to have had access to Travelex’s network for six months and to have extracted five gigabytes of customer data—including dates of birth, credit card information, and other personally identifiable information.

“In the case of payment, we will delete and will not use that [data]base and restore them the entire network,” the individual claiming to be part of the Sodinokibi operation told the BBC. “The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base.”

The group who are behind these attacks have seven victims so far, and that number is likely to grow. Bad Packets Report’s Troy Mursch ran a vulnerability scan finding that thousands of Pulse Secure VPN servers worldwide remain vulnerable. Which means that the pwnage has the potential to be epic. Thus if you’re using a Pulse Secure VPN, you should get to patching it now. As in right now. Seriously. Drop everything and do it now.

A Textbook Example As To Why You Need To Defend Yourself Against Cyber Threats – Part II

Posted in Commentary with tags on January 6, 2020 by itnerd

Earlier today I wrote about a company who’s less than optimal actions in response to a cyber attack left three hundred out of work. Today I am going to bring you a story from Brian Krebs on another cyber attack and how it was badly handled:

In mid-November 2019, Wisconsin-based Virtual Care Provider Inc. (VCPI) was hit by the Ryuk ransomware strain. VCPI manages the IT systems for some 110 clients that serve approximately 2,400 nursing homes in 45 U.S. states. VCPI declined to pay the multi-million dollar ransom demanded by their extortionists, and the attack cut off many of those elder care facilities from their patient records, email and telephone service for days or weeks while VCPI rebuilt its network.

Just hours after that story was published, VCPI chief executive and owner Karen Christianson reached out to say she hoped I would write a follow-up piece about how they recovered from the incident. My reply was that I’d consider doing so if there was something in their experience that I thought others could learn from their handling of the incident.

I had no inkling at the time of how much I would learn in the days ahead.

Now I will stop here. Clearly this CEO thought that they were going to recover their IT systems and get up and running in glorious fashion. Thus showing the world how brilliant they were and attract all sorts of positive press and make her look brilliant. Except that didn’t happen. It quickly became evident that the company had been further compromised. Here’s an example:

On December 3, I contacted Christianson to schedule a follow-up interview for the next day. On the morning of Dec. 4 (less than two hours before my scheduled call with VCPI and more than two weeks after the start of their ransomware attack) I heard via email from someone claiming to be part of the criminal group that launched the Ryuk ransomware inside VCPI.

That email was unsettling because its timing suggested that whoever sent it somehow knew I was going to speak with VCPI later that day. This person said they wanted me to reiterate a message they’d just sent to the owner of VCPI stating that their offer of a greatly reduced price for a digital key needed to unlock servers and workstations seized by the malware would expire soon if the company continued to ignore them.

“Maybe you chat to them lets see if that works,” the email suggested.

The anonymous individual behind that communication declined to provide proof that they were part of the group that held VPCI’s network for ransom, and after an increasingly combative and personally threatening exchange of messages soon stopped responding to requests for more information.

You can read the rest of the story for all the details. But what was clear was that the company had actually been pwned by hackers some 14 months earlier. And that the company had clearly been the victim of password theft. Which is how the hackers were able intercept these emails as they were still on the network.


The take home messages are as follows:

  1. When it comes to cybersecurity, you should start from a premise that the hackers are already in. As was the case here. And it is often the case in may cyberattacks. From there you can figure out how they got in, what they’ve touched, and how to get them out and keep them out. And you should do that long before something really bad happens.
  2. You should assume all passwords — not just endpoint/domain credentials — are compromised. This may mean changing/adding two factor authentication for hundreds or thousands of endpoints and servers. But doing that is better than getting pwned again.
  3. If you get pwned, get professional help. Fireeye / Mandiant is who I would recommend. They aren’t cheap, but they have a proven track record of responding to stuff like this.

The bottom line is that cybersecurity isn’t to be taken lightly. You need to do everything possible to defend yourself. Otherwise, bad things will happen to you.


A Textbook Example As To Why You Need To Defend Yourself Against Cyber Threats

Posted in Commentary with tags on January 6, 2020 by itnerd

If you don’t think that defending yourself against threats like ransomware shouldn’t be at the top of your list of priorities, consider this story:

An Arkansas-based telemarketing firm sent home more than 300 employees and told them to find new jobs after IT recovery efforts didn’t go according to plan following a ransomware incident that took place at the start of October 2019:

Employees of Sherwood-based telemarketing firm The Heritage Company were notified of the decision just days before Christmas, via a letter sent by the company’s CEO. Speaking with local media, employees said they had no idea the company had even suffered a ransomware attack, and the layoffs were unexpected, catching many off guard. “Unfortunately, approximately two months ago our Heritage servers were attacked by malicious software that basically ‘held us hostage for ransom’ and we were forced to pay the crooks to get the ‘key’ just to get our systems back up and running,” wrote Sandra Franecke, the company’s CEO, in the letter sent to employees. She goes on to say that data recovery efforts, initially estimated at one week, have not gone according to plan and the company had failed to recover full service by Christmas. Franecke said the company lost “hundreds of thousands of dollars” because of the incident and have been forced to “restructure different areas in the company.” As a result of the botched ransomware recovery process, the company’s leadership decided to suspend all services, leaving more than 300 employees without jobs.

So let me summarize this for you.

Due to the shortsightedness of this company’s CEO, CTO and executive management, their IT systems were not properly built and secured. They figured that this was an acceptable risk and spend money elsewhere rather than on protecting themselves from something like a ransomware attack. Then they got pwned and had to pay up to try and get back up and running. Except that their attempts to get back up and running failed and now 300 people are out of work.

This is a textbook example of why companies of all sizes need to protect themselves. Companies are responsible for their employees and they need to ensure that they are taking any and all steps to ensure that they are properly protected from this sort of thing. Otherwise you get this bad situation.

Life Labs Gets Sued After Getting Pwned

Posted in Commentary with tags , , on December 27, 2019 by itnerd

You had to know that after getting hacked that Life Labs would be facing a lawsuit of some sort. Now according to CBC, a class action lawsuit has been filed:

A B.C. man is attempting to launch a class-action lawsuit against Canadian Laboratory testing company, LifeLabs, one day after it announced a large cyberattack on its systems affecting the private information of 15 million Canadians.

Kenneth Morrison, a retired Vancouver computer technician, filed a notice of civil claim against LifeLabs Wednesday in the Supreme Court of British Columbia, alleging the company breached its contract with Morrison to keep his private information safe.

None of the allegations have been proven in court.

The company has 21 days to respond. And it will be interesting to see how they respond. The thing is that I think that they will have difficulty defending themselves given the facts that are at hand. Thus they might want to get the chequebook ready.